{"id":253,"date":"2024-09-20T16:14:34","date_gmt":"2024-09-20T14:14:34","guid":{"rendered":"https:\/\/tillnet.se\/?p=253"},"modified":"2024-09-20T16:14:34","modified_gmt":"2024-09-20T14:14:34","slug":"otp-challenge-ssh-thinlinc-on-ubuntu-22-04","status":"publish","type":"post","link":"https:\/\/www.tillnet.se\/index.php\/2024\/09\/20\/otp-challenge-ssh-thinlinc-on-ubuntu-22-04\/","title":{"rendered":"OTP challenge SSH\/ThinLinc on Ubuntu 22.04"},"content":{"rendered":"\n

Short tutorial how to enable 2FA\/OTP (ex. Google Authenticator) when logging in via SSH or in my case mainly ThinLinc Terminal Sessions.<\/p>\n\n\n\n

If you haven’t set up NTP or some other time sync now is the “time”, since OTP is dependent on correct clocks.<\/p>\n\n\n\n

    <\/ol>\n\n\n\n

    1. Install google-authenticator<\/h3>\n\n\n\n
    sudo apt install libpam-google-authenticator<\/code><\/pre>\n\n\n\n
    2. Configure sshd<\/h3>\n\n\n\n
    Edit file \/etc\/ssh\/sshd_config<\/code><\/p>\n\n\n\n
    ...\n# Change to yes to enable challenge-response passwords (beware issues with\n# some PAM modules and threads)\nKbdInteractiveAuthentication yes<\/strong>\n...<\/code><\/pre>\n\n\n\n
    3. Configure PAM<\/h3>\n\n\n\n
    Edit the file \/etc\/pam.d\/common-auth<\/code> and add these two lines at the bottom.<\/p>\n\n\n\n
    auth required pam_google_authenticator.so secret=\/home\/${USER}\/.ssh\/.google_authenticator nullok\nauth required pam_permit.so<\/code><\/pre>\n\n\n\n
    4. Enable OTP for user<\/h3>\n\n\n\n
    Every user needs to run google-authenticator by them self in order to set it up correctly.
    First copy the program to users home dir and run it.<\/p>\n\n\n\n
    google-authenticator -s $HOME\/.ssh\/.google_authenticator<\/code><\/pre>\n\n\n\n
    Then the user needs their mobile device ready with Google Authenticator or equivalent installed. Output with questions and answers:<\/p>\n\n\n\n
    Do you want authentication tokens to be time-based (y\/n) y\n\n ...\n Enter code from app (-1 to skip): <ENTER CODE FROM APP>\n Code confirmed\n Your emergency scratch codes are:\n ...\n\n Do you want me to update your \"\/home\/<USERNAME>\/.ssh\/.google_authenticator\" file (y\/n) y\n\n Do you want to disallow multiple uses of the same authentication\n token? This restricts you to one login about every 30s, but it increases\n your chances to notice or even prevent man-in-the-middle attacks (y\/n) n\n\n By default, a new token is generated every 30 seconds by the mobile app.\n In order to compensate for possible time-skew between the client and the server,\n we allow an extra token before and after the current time. This allows for a\n time skew of up to 30 seconds between authentication server and client. If you\n experience problems with poor time synchronization, you can increase the window\n from its default size of 3 permitted codes (one previous code, the current\n code, the next code) to 17 permitted codes (the 8 previous codes, the current\n code, and the 8 next codes). This will permit for a time skew of up to 4 minutes\n between client and server.\n Do you want to do so? (y\/n) y\n\n If the computer that you are logging into isn't hardened against brute-force\n login attempts, you can enable rate-limiting for the authentication module.\n By default, this limits attackers to no more than 3 login attempts every 30s.\n Do you want to enable rate-limiting? (y\/n) y<\/code><\/pre>\n\n\n\n
    5. Restart the ssh server daemon<\/strong><\/h3>\n\n\n\n
    sudo systemctl restart sshd<\/code><\/pre>\n\n\n\n
    <\/h2>\n\n\n\n
    Done. Know when logging in you will be asked for your username, password and also OTP code. This applies to SSH connections and therefore also ThinLinc sessions.<\/p>\n","protected":false},"excerpt":{"rendered":"
    Short tutorial how to enable 2FA\/OTP (ex. Google Authenticator) when logging in via SSH or in my case mainly ThinLinc Terminal Sessions. If you haven’t …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6],"tags":[],"class_list":["post-253","post","type-post","status-publish","format-standard","hentry","category-it"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.tillnet.se\/index.php\/wp-json\/wp\/v2\/posts\/253","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tillnet.se\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tillnet.se\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tillnet.se\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tillnet.se\/index.php\/wp-json\/wp\/v2\/comments?post=253"}],"version-history":[{"count":1,"href":"https:\/\/www.tillnet.se\/index.php\/wp-json\/wp\/v2\/posts\/253\/revisions"}],"predecessor-version":[{"id":254,"href":"https:\/\/www.tillnet.se\/index.php\/wp-json\/wp\/v2\/posts\/253\/revisions\/254"}],"wp:attachment":[{"href":"https:\/\/www.tillnet.se\/index.php\/wp-json\/wp\/v2\/media?parent=253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tillnet.se\/index.php\/wp-json\/wp\/v2\/categories?post=253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tillnet.se\/index.php\/wp-json\/wp\/v2\/tags?post=253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}