Problem
In home instead of a typical router I have a PandaBoard with Debian installed. This very flexible solution allows for running fully customized firewall (iptables), web-proxy (squid) with parental-control and blacklists (dansguardian). This box is a front device of my internal network and allows SSH access. I was rather uncomfortable observing logwatch reports which say about continuous break-in attempts into root and other accounts. While it is quite impossible to guess my password, I rarely change it, so it could be somehow hijacked. So I made a few additional obstacles to reach the SSH while keeping it relatively simple to use.First option is to limit the access to SSH service itself by terms of PAM. Here are requirements. First I edited /etc/pam.d/sshd file and uncommented third line in the excerpt below:
[...] # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. account required pam_access.soThen I adjusted /etc/security/access.conf:
[...] + : root : 10.1. 89.174.214. + : root : kedra.org .kedra.org # User "root" should be denied to get access from all other sources. - : root : ALL # jurek accesses from all sources + : jurek : ALLAbove looks good enough to limit unauthorized access for root. The local network and known remote locations are granted SSH access to root. Connection as root from other location is impossible.
OneTimePasswords
Google Authenticator is one time passwords generator, which is use to protect my Gmail and AWS accounts. It gives my a sense of security - without my phone which generates one time password, it is very hard to gain the access to the account. Naturally one time password is an additional level of access so it means I have to provide the classic password + the Google Authenticator one.First step is to install libpam-google-authenticator (apt-get install), then create an access file which allows to skip pam_google_authenticator when connecting from local network (/etc/security/access-local.conf) with the following content:
# only allow from local IP range + : ALL : 10.1.0.0/24 + : ALL : LOCAL - : ALL : ALL
then adjust /etc/pam.d/sshd:
[...] # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. account required pam_access.so # skip one-time password if logging in from the local network auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf auth required pam_google_authenticator.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session [...]
The last change is to allow for one time passwords authentication in /etc/ssh/sshd_config:
# Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes
Restart the SSH daemon /etc/init.d/ssh restart and generate the key by google-authenticator. The command is verbose and intuitive. On my Android phone I use "Google Authenticator" - it supports QR code scanning or I have to retype just generated key from google-authenticator command. The google-authenticator command creates ~/.google_authenticator only-owner-readable file which stores the key. That's should be it - it works. Well not really.
Configuration Extension
Google Authenticator setup in a way as above is a global configuration for all users. It means the given user has to create its own .google_authenticator file (can't be system shared file until you want to have it world readable) or the user won't be able to login. This is not really what I want here. I'd like to have a situation when user (actually me only) has an option to decide by himself if he wants or not to be protected by it. I'd like also an option to have only a single key (.google_authentication file) but I don't like the idea of having it readable for all users.There are multiple options to archive above goals. The most straightforward is suggested by the google-authenticator man page. It requires to add a following line:
auth [default=1 success=ignore] pam_succeed_if.so quiet user ingroup root auth required pam_google_authenticator.so
It requires for user to be in group "root" (last argument) before GoogleAuth is required. I'm not PAM guru so in effect it removed the effect of previous line, that with accessfile=/etc/security/access-local.conf. There is probably an option to overcome it somehow but there was no curiosity to follow this path.
apt-get remove libpam-google-authenticator apt-get install libpam0g-dev libqrencode3 wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2You can check if there is a new version here.
tar jvxf libpam-google-authenticator-1.0-source.tar.bz2 cd libpam-google-authenticator-1.0/ make make install
Now I can log in without one time password for users where .google_authenticator file is not present the home directory. I also can preview one-time-passwords when typing. The sshd_config needs to be adjusted:
auth required pam_google_authenticator.so nullok echo_verification_codeThis is something good to know and good to have. However, since I'm the only user of the system, I'd rather have a common .google_authenticator file, root owned, root only readable. For the internal network I'd like to login without one time passwords, but for the external I want to have it as mandatory. So the final solution is:
# Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. #account required pam_access.so # skip one-time password if logging in from the local network auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf auth required pam_google_authenticator.so user=root secret=/root/.google_authenticator echo_verification_code
Finally I decided to open the SSH world wide, no exceptions (pam_access.so commented out in /etc/pam.d/sshd).
