How-to-set-up-multifactor-authentication

From BubbaWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

How to set up multifactor authentication
Author: Eek

This tutorial is about setting up high security multifactor authentication using a series of single-use "passcodes".
As many of us like the bubba for it's power and versatility, we also want to be able to connect to it from outside our home-network. SSH/Putty gives us the opportunity to open up our entire home-network from a remote location. This of course adds to the security risk. Which is why I created this how to, to let you all know of a way to implement a High security multifactor authentication.
One tip: do not open port 22 in your router for ssh (as hackers are scanning for known port numbers), but choose a random port number.
The information about the High security multifactor authentication using a series of single-use "passcodes" can be found at: https://www.grc.com/ppp.htm
Or listen to the podcasts on the subject at http://www.grc.com/securitynow.htm
This how to describes installation of the PAM module by Thomas Fors (http://code.google.com/p/ppp-pam/)
Note: Installed and tested on Etch, Sarge should also work.

Packages
Install the packages, using the Debian sources, see Howto install Debian packages [5].

apt-get install subversion make gcc g++ uuid-dev libpam0g-dev
apt-get install wget

Installation

$ cd /tmp
$ wget http://ppp-pam.googlecode.com/files/ppp-pam-0.2.tar.gz
$ tar -xvzf ppp-pam-0.2.tar.gz
$ cd ppp-pam/build
$ ../configure
$ make

Test to confirm it builds correctly

make test

Install the pppauth utility and PAM module in the appropriate folders.

make install

Configuration
Enable PPP authentication for ssh connections.

vi /etc/pam.d/ssh

Enter the following line just below: @include common-auth

auth required pam_ppp.so

Make sure you have the following settings in sshd_config

vi /etc/ssh/sshd_config

ChallengeResponseAuthentication yes
UsePAM yes

Usage
Create a PPP sequence key for your user account you use to login. This will probably not be root!

pppauth --key

Generate a passcard. Print or save it

pppauth --text --next 1

Try logging in to test it.

ssh localhost

References
1. https://www.grc.com/ppp.htm
2. http://www.grc.com/ppp/software.htm
3. http://code.google.com/p/ppp-pam/
4. http://code.google.com/p/ppp-pam/wiki/Building
5. http://forum.excito.net/viewtopic.php?t=421