Google Authenticator is open source software, currently licensed under the Apache 2.0 license. It is an excellent supplement to a working RSA model for additional security measures.
A conveinent application is available on Android and IOS devices.
Setting up Google Authenticator
Installing Google Authenticator
You can easily install google-authenticator-libpam-hg from AUR using yaourt:
# yaourt -S google-authenticator-libpam-git
Adjusting the SSHD and PAM configuration files
/etc/ssh/sshd_config with your favorie text editor and make sure that
ChallengeResponseAuthentication is set to
Next you have to edit
/etc/pam.d/sshd. We are only interested in the lines starting with
If you want to have to enter both your regular password and a one-time password to login, change the configuration like this:
Warning: Every user who has not yet generated a secret file will no longer be able to login via SSH.
If you want to be able to login using your regular password or a one-time password, change the configuration file like this:
Using Google Authenticator
Just run the command
google-authenticator as the user you want to generate the secret for and follow the instructions.
google-authenticator will show you a QR-code you can scan on your phone if you have installed the
qrencode packge. Otherwise you have to enter the secret key manually on your phone.
If an one-time password is required for logging in, you should print out your emergency codes and store them in a safe place.
Removing Google Authenticator
These are the defaults for the changed parts of the configuration files: