For some time, I have been using 2FA for most of my sensitive logins on the Internet. From Google to FB to WordPress to Git. Any login with sensitive information is setup with 2FA using (FIDO U2F).
Anyway, the one setup that has been missing (don’t ask me why I had not done is sooner) was our home MacMini. Our MacMini stays on all of the time and serves as our home computer. We use it for everything, from a Plex Server to printer server, to file server, you name it.
I like to be able to access it remotely and as such I have setup SSH on it. However, until recently, it was pretty open. I looked online for support on how to setup 2FA and below are the steps I followed to get it to work:
Basic definitions
- Server: This is the host to which you want to connect and on which you’ll be installing 2FA
- Client: This is any host other the the server
Instructions
- You need to have xcode, command line tools and homebrew installed. You should do this from the
- Install xcode: That you need to do from the App Store. Just open the App Store, look for xcode and install it
- Install command line tools:
xcode-select --install
That should bring up a prompt on the screen asking if you want to install command line tools. Click Install
- Install homebrew:
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew install/master/install)"
- Get the latest release of Google Authenticator. Download and unzip.
- Build and install Google Authenticator:
./bootstrap.sh ./configure make sudo make install
- Update sshd to use Google Authenticator
- Make a copy of /etc/pam.d/sshd:
sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.org
- Make a copy of /etc/ssh/sshd_config:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.org
- Update sshd to make use of the Google Authenticator shared object (pam_google_authenticator.so):
//This will let you edit the file sudo vi /etc/pam.d/sshd //Add this line below the "auth" section auth required /usr/local/lib/security/pam_google_authenticator.so //Save and exit :wq!
- Update sshd_config:
//Open the file for edit: sudo vi /etc/ssh/sshd_config //Look for #ChallengeResponseAuthentication yes and remove the hash ChallengeResponseAuthentication yes //Save and exit :wq!
- Make a copy of /etc/pam.d/sshd:
- Restart sshd for the changes to take effect:
sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist sudo launchctl load /System/Library/LaunchDaemons/ssh.plist
- Setup Google Authenticator for the desired user
- Assuming you have performed all of the actions above logged in as the desired user, just continue, otherwise exit and login as the desired user.
- Setup Google Authenticator:
//Locate the folder where you unzipped Google Authenticator and execute google-authenticator google-authenticator Do you want authentication tokens to be time-based (y/n) y https://www.google.com/chart?some-really-long-url-you-will-need-this Your new secret key is: ABCDEFGHIJKLMNOP Your verification code is 000000 Your emergency scratch codes are: 00000000 00000000 00000000 00000000 00000000 Do you want me to update your "/Users/<your-username>/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
- With a browser open the long URL. This will generate a QR Code. Scan the code using your favorite Google Authenticator App. I personally like Authy as it can sync between devices.
- Close all open SSH connections you may have with the server.
- From a client ssh into the host and voila, 2FA works 😀
client.host:~ username$ ssh username@host.to.ssh Password: Verification code: Last login: Thu Dec 7 16:09:24 2017 from 192.168.2.1 host.to.ssh:~ username$
References
The internet is nothing, if not for a bunch of really smart people that love to share their experiences and findings. I was able to get this to work thanks to these posts:
- https://github.com/mtjddnr/lab/wiki/Mac-OSX-ssh-login-with-Google-Authenticator
- https://github.com/google/google-authenticator-libpam
- http://enterprisemac.bruienne.com/2015/01/07/enable-google-two-factor-authentication-for-ssh-connections-on-os-x/
- https://www.yubico.com/wp-content/uploads/2016/02/Yubico_YubiKeyMacOSXLogin_en.pdf
- https://superuser.com/questions/383580/how-to-install-autoconf-automake-and-related-tools-on-mac-os-x-from-source