2-Factor SSH with Google Authenticator and Challenge Response Authentication

We challenge you... to respond... then we'll authenticate ya! That's right, we're getting into Challenge Response Authentication. Plus Two-Factor Authentication for SSH using the Google Authenticator, and how not to lock yourself out of your own workstation. All that and more, this time on Hak5!

Challenge Response Authentication

  • Used in the 80's and 90's for copy protection (Wolfenstein SoD example)
  • DRYAD Example
    • Used for Authentication or Encryption by US military
  • Keyboard Interactive is define in an Internet-draft to the IETF two Googlers in 2004 describe "Generic Message Exchange Authentication for SSH"


Example of Lame-Ass-Challenge-Response-Authentication

  • Client initiates connection to server
  • Server asks for password
  • Client tells server password
  • Server lets client connect, they become BFF
  • Eavesdropping hacker now knows password


One-way hash

  • Takes input, returns hash value
  • Finding input from hash value is "computationally infeasible"
  • Popular funcations include MD5, SHA


Example of proper Challenge-Response Authentication

  • Client initiates connection to server
  • Server "challenges" client by sending a random number
  • Client "responds" by using one-way hash to compute random number + password, sends result
  • Server uses same one-way hash to compute random number + password, verifies result
  • If result matches, client and server become BFF
  • Eavesdropping hacker now knows a random number and a the resulting hash from said random number + the password :-(


Weaknesses in CRA

  • If a challenge is used more than once, the hacker can simply replay the hash
  • Mitigated by using long random numbers


SSH 2-Factor Authentication via Google Authenticator

Ubuntu 10.04 setup based off webbynode guide.

# Install Google Authenticator PAM module
$ cd ~
$ wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
$ tar jxvf libpam-google-authenticator-1.0-source.tar.bz2
$ cd google-authenticator
$ sudo make install
# Edit /etc/ssh/sshd_config and change the ChallengeResponseAuthentication to yes
# Edit /etc/pam.d/sshd and add
# auth    required                        pam_google_authenticator.so
#*** Some guides recommend adding the above line to the /etc/pam.d/common-auth file.
#*** You'll wish you hadn't if you're testing this on your desktop with gnome/kde/etc ;-)
# Configure the user account
$ google-authenticator
# Follow the URL and scan the barcode from your phones google authenticator app
# Restart sshd:
$ /etc/init.d/ssh restart
# Login as normal and you'll be prompted for verification code in addition to password