Today I decided to play around with the Google two factor authentication method on one of my Linux VMs hosted in Azure.
What this means?
Well, my idea was to have a VM that I ususaly login with my SSH key automatically, to prompt me for a code that changes every 30 seconds.
Google Authenticator offers just that.
So, what do we need?
So, just to be sure I won’t lock myself out from a production VM, I started by creating a new VM in Azure, using the beautiful and simple Az Cli 2.0
You can obtain the same result by just “pointing & clicking” in the Azure portal following this tutorial: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-portal
The commands in Az Cli to create my VM was:
# creating the resource group 1st $ az group create --name myResourceGroup --location westeurope # creating the VM $ az vm create --resource-group myResourceGroup --location westeurope --name testVM --image UbuntuLTS --admin-username testuser --generate-ssh-keys
The result will look like (I obfuscated some confidential details, but the essential is there):
I used a Ubuntu 16.04 but this should work on most Debian based distribution, with small changes. I’ll update the instructions, in time, for other distributions too.
Now, as soon the VM is up & running, you should be able to connect from the same box you ran the AZ Cli commands:
$ ssh testuser@testVM_IpAddressHere
Remember, we created our VM with the testuser and the option to connect via SSH-key that we generated during VM creation.
The SSH key is now saved on the Linux Box we ran the AZ Cli script from, under our user /home/user/.ssh/id_rsa (the private key) and /home/user/.ssh/id_rsa.pub (the public key). If you plan to use other boxes to connect to this VM, make sure you have a copy of the keys on the box you need.
Now, from the account that needs to authenticate (e.g. testuser):
# Install the google authenticator testuser@testVM:~$ sudo apt-get install libpam-google-authenticator Reading package lists... Done Building dependency tree Reading state information... Done libpam-google-authenticator is already the newest version (20130529-2). 0 upgraded, 0 newly installed, 0 to remove and 12 not upgraded. #modify /etc/pam.d/sshd and comment out "@include common-auth" and add on the next line "auth required pam_google_authenticator.so" testuser@testVM:~$ vi /etc/pam.d/sshd # Modify /etc/ssh/sshd_config and change ChallengeResponseAuthentication to yes, PasswordAuthentication to no and add, at the end of the file, AuthenticationMethods publickey,keyboard-interactive testuser@testVM:~$ vi /etc/ssh/sshd_config testuser@testVM:~$ grep 'common-auth\|google' /etc/pam.d/sshd #@include common-auth auth required pam_google_authenticator.so testuser@testVM:~$ grep 'Challenge\|Password\|AuthenticationMethods' /etc/ssh/sshd_config ChallengeResponseAuthentication yes PasswordAuthentication no AuthenticationMethods publickey,keyboard-interactive testuser@testVM:~$ google-authenticator Do you want authentication tokens to be time-based (y/n) y https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/testuser@testVM%3Fsecret%3ABCO4WERTP3TZ34L Your new secret key is: ABCO4WERTP3TZ34L Your verification code is 423457 Your emergency scratch codes are: 12345675 22345674 32345673 42345672 52345671 Do you want me to update your "/home/testuser/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y testuser@testVM:~$ sudo service ssh restart
Now, on your Android phone go to the Google Play and look for Google Authenticator and install it.
Open it on your phone and create a new account (e.g. testVM) and add the code generated above (e.g. ABCO4WERTP3TZ34L). This will generate you a new code every 30 seconds.
Connect from a new console to the testVM:
marin@Azure:~$ ssh testuser@testVM_IPAddressHere Authenticated with partial success. # Type the code generated on your phone by Google Authenticator Verification code: Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.11.0-1016-azure x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Get cloud support with Ubuntu Advantage Cloud Guest: http://www.ubuntu.com/business/services/cloud 12 packages can be updated. 5 updates are security updates. Last login: Fri Dec 22 14:49:50 2017 from 192.*.*.* testuser@testVM:~$
Everything looks fine 🙂
I’m not responsible in any way if you lock yourself out from your VM by following this tutorial. Everything you do based on this tutorial is solely your responsibility!
However, if it happens, in Azure you can follow this tutorial to reset the SSH access to your VM.