Google Authenticator for PAM
Google Authenticator is pretty cool, it's like having one of those RSA SecurID tokens for two-factor auth.
I stumbled across this page which describes integrating it with PAM for SSH, the backend code is freely available. http://guides.webbynode.com/articles/security/ubuntu-google-authenticator.html
It's not packaged or anything, but it's trivial to compile and put in the right place on a standard linux system. Their guide is very good, and inexperienced sysadmins can probably stumble through it without any specific knowledge.
Experience
There's a couple of tiny things I'd change. Also worthy of note is that I haven't got it to work properly yet. >_>
But I can tell it's really close!
Symptoms:
When I first tried, it kept insisting that I wasn't providing a verification code (/var/log/auth.log)
- I messed around some more, kept recompiling, and eventually stopped even getting error messages -_-
- Gave up at this point, need to revisit
Changes
Things I'd do differently.
- Install it manually (I'm on Debian Squeeze x64)
make all instead of make install
Use install instead of tar and... wtf is this!?
install -m 755 -g root google-authenticator /usr/local/bin/google-authenticator install -m 644 pam_google_authenticator_testing.so /lib/security/pam_google_authenticator.so
- Integration with PAM
Put it in /etc/pam.d/sshd instead of /etc/pam.d/common-auth (can FTP deal with this? will it just skip the challenge-response thing? I dunno)
You could, if you want, use this instead of a password (instead of in addition to a password). You do this by making the module sufficient instead of a requirement along with the password (pam_unix)
auth sufficient pam_google_authenticator.so echo-verification-code
The per-user config thing works just fine.