OpenSSH Debian Wheezy with Google Authenticator and Pubkey.

This set up requires OpenSSH 6.6 or greater

Add wheezy-backports

  • sudo su
  • echo 'deb http://ftp.debian.org/debian/ wheezy-backports main' > /etc/apt/sources.list.d/wheezy-packports.list
  • apt-get update

Install openssh and google authenticator for PAM

  • apt-get install openssh-server libpam-google-authenticator -y


Configure PAM
edit /etc/pam.d/sshd and add the following line before @include common-auth
auth sufficient pam_google_authenticator.so

Configure SSH
Edit /etc/ssh/sshd_config by changing the following values

  • ChallengeResponseAuthentication yes
  • PubkeyAuthentication yes

Add this line too:

  • AuthenticationMethods publickey,keyboard-interactive

Restart ssh

  • service ssh restart


Bypass google authenticator for trusted network or host, will still need public key or password
Add these lines at the end of /etc/ssh/sshd_config (keep indentation)

  • Match Address IP_ADDRESS/CIDR
  •     AuthenticationMethods publickey

Restart ssh

  • service ssh restart

For greater security, also require the user's password to log in - modify:


  • edit /etc/pam.d/sshd and add the following line before @include common-auth
  • auth required pam_google_authenticator.so






Comments

Post a Comment

Popular posts from this blog

Smith & Wesson Unveils AI-Powered Security Turret System, Will Donate To Select Faith Based Schools

Image
The historic firearms company has voiced its concern over the rising epidemic of school shootings plaguing the nation. "Enough thoughts and prayers, it's time to take action," said P. James Debney, CEO of the American gun manufacturer. "Since the assault rifle ban expired, we've reaped considerable profits. Now we're exploring artificial intelligence and image recognition to apply cutting-edge technology to an issue previously limited to sci-fi and video games." In a rare move, the company has openly discussed the technology they've developed and is considering licensing it to other gun makers. "We believe it's our patriotic duty to make this system available wherever it's needed. We envision turrets mounted in libraries, universities, churches, supermarkets, and movie theaters," added Mr. Debney. The WOJC-AR15 (Wrath of Jesus Christ) system, dubbed "WOKE AR15," works by detecting individuals who appear suspicious and are ...
Read more

DD-WRT v24 RC-6 Command Line Config

Recently I made a bonehead mistake and turned off the web gui for my DD-WRT. Luckily I was able to ssh into it, but that was rather useless since there's no clear command line setup interface for it. I could start httpd by typing: httpd start and I could then get into the gui but that does not allow you to modify any settings, if you try the /appli.cgi just takes you to a blank page and you don't see anything happen. If you reboot the router the web gui goes away. After scouring the net I found no obvious answer and basically just gave up. Knowing that developers are often a little slow about telling people how their stuff works (often because they don't know themselves) I approached my search from the startup scripts perspective and found my answer at the dd-wrt site here: Startup Scripts: NVRAM Method . So I ssh to my router and after a little spelunking with the nvram command I found the answer and et-voila! I have my router with a properly working web gui. Here's ...
Read more