From BubbaWiki
Revision as of 12:14, 7 October 2010 by Asad (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

How to set up multifactor authentication
Author: Eek

This tutorial is about setting up high security multifactor authentication using a series of single-use "passcodes".
As many of us like the bubba for it's power and versatility, we also want to be able to connect to it from outside our home-network. SSH/Putty gives us the opportunity to open up our entire home-network from a remote location. This of course adds to the security risk. Which is why I created this how to, to let you all know of a way to implement a High security multifactor authentication.
One tip: do not open port 22 in your router for ssh (as hackers are scanning for known port numbers), but choose a random port number.
The information about the High security multifactor authentication using a series of single-use "passcodes" can be found at:
Or listen to the podcasts on the subject at
This how to describes installation of the PAM module by Thomas Fors (
Note: Installed and tested on Etch, Sarge should also work.

Install the packages, using the Debian sources, see Howto install Debian packages [5].

apt-get install subversion make gcc g++ uuid-dev libpam0g-dev
apt-get install wget


$ cd /tmp
$ wget
$ tar -xvzf ppp-pam-0.2.tar.gz
$ cd ppp-pam/build
$ ../configure
$ make

Test to confirm it builds correctly

make test

Install the pppauth utility and PAM module in the appropriate folders.

make install

Enable PPP authentication for ssh connections.

vi /etc/pam.d/ssh

Enter the following line just below: @include common-auth

auth required

Make sure you have the following settings in sshd_config

vi /etc/ssh/sshd_config

ChallengeResponseAuthentication yes
UsePAM yes

Create a PPP sequence key for your user account you use to login. This will probably not be root!

pppauth --key

Generate a passcard. Print or save it

pppauth --text --next 1

Try logging in to test it.

ssh localhost