Ronny Lam


Protect SSH With Two-Factor Authentication

I finally took some time to secure my internet facing systems a bit more, which are currently all Raspberry Pi’s by the way. Since I have been working with the Google authenticator app on iOS for a while now it was a logical decision to also apply that to my “servers”. I was delighted to see that the first hit when searching for “ssh 2 factor” was indeed the Google PAM-module.

Configuring the systems was a breeze with the result that now my internet facing systems are protected by something I know (my password) and something I have (my phone).

I would like to encourage everyone to enable such a system whenever possible. Currently lots of systems like Google, Dropbox, Twitter, Amazon AWS and others have implemented 2 factor authentication. It is still up to the user to use it.

One warning though. With the above mentioned systems it is impossible to reuse the shared secret (file). With the Linux-PAM setup you can, but I really advise against it. If scalability is becoming an issue you might consider TOTP-cgi which shares secrets AND state of the secret accross systems, so that a hacker cannot reuse a key more than once.