Add wheezy-backports
- sudo su
- echo 'deb http://ftp.debian.org/debian/ wheezy-backports main' > /etc/apt/sources.list.d/wheezy-packports.list
- apt-get update
Install openssh and google authenticator for PAM
- apt-get install openssh-server libpam-google-authenticator -y
Configure PAM
edit /etc/pam.d/sshd and add the following line before @include common-auth
auth sufficient pam_google_authenticator.so
Configure SSH
Edit /etc/ssh/sshd_config by changing the following values
- ChallengeResponseAuthentication yes
- PubkeyAuthentication yes
Add this line too:
- AuthenticationMethods publickey,keyboard-interactive
Restart ssh
- service ssh restart
Bypass google authenticator for trusted network or host, will still need public key or password
Add these lines at the end of /etc/ssh/sshd_config (keep indentation)
- Match Address IP_ADDRESS/CIDR
- AuthenticationMethods publickey
Restart ssh
- service ssh restart
For greater security, also require the user's password to log in - modify:
- edit /etc/pam.d/sshd and add the following line before @include common-auth
- auth required pam_google_authenticator.so
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.