Setup 2FA SSH on MacOS Sierra

For some time, I have been using 2FA for most of my sensitive logins on the Internet. From Google to FB to WordPress to Git. Any login with sensitive information is setup with 2FA using (FIDO U2F).

Anyway, the one setup that has been missing (don’t ask me why I had not done is sooner) was our home MacMini. Our MacMini stays on all of the time and serves as our home computer. We use it for everything, from a Plex Server to printer server, to file server, you name it.

I like to be able to access it remotely and as such I have setup SSH on it. However, until recently, it was pretty open. I looked online for support on how to setup 2FA and below are the steps I followed to get it to work:

Basic definitions

  • Server: This is the host to which you want to connect and on which you’ll be installing 2FA
  • Client: This is any host other the the server

Instructions

  1. You need to have xcode, command line tools and homebrew installed. You should do this from the
    1. Install xcode: That you need to do from the App Store. Just open the App Store,  look for xcode and install it
    2. Install command line tools:
      xcode-select --install

      That should bring up a prompt on the screen asking if you want to install command line tools. Click Installinstall xcode on mavericks step 1

    3. Install homebrew:
      /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew install/master/install)"
  2. Get the latest release of Google Authenticator. Download and unzip.
  3. Build and install Google Authenticator:
    ./bootstrap.sh
    ./configure
    make
    sudo make install
  4. Update sshd to use Google Authenticator
    1. Make a copy of /etc/pam.d/sshd:
      sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.org
    2. Make a copy of /etc/ssh/sshd_config:
      sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.org
    3. Update sshd to make use of the Google Authenticator shared object (pam_google_authenticator.so):
      //This will let you edit the file
      sudo vi /etc/pam.d/sshd
      //Add this line below the "auth" section 
      auth       required       /usr/local/lib/security/pam_google_authenticator.so
      //Save and exit 
      :wq!
      
      
    4. Update sshd_config:
      //Open the file for edit:
      sudo vi /etc/ssh/sshd_config
      //Look for #ChallengeResponseAuthentication yes and remove the hash
      ChallengeResponseAuthentication yes
      //Save and exit
      :wq!
  5. Restart sshd for the changes to take effect:
    sudo launchctl unload  /System/Library/LaunchDaemons/ssh.plist
    sudo launchctl load  /System/Library/LaunchDaemons/ssh.plist
  6. Setup Google Authenticator for the desired user
    1. Assuming you have performed all of the actions above logged in as the desired user, just continue, otherwise exit and login as the desired user.
    2. Setup Google Authenticator:
      //Locate the folder where you unzipped Google Authenticator and execute google-authenticator
      google-authenticator
      
      Do you want authentication tokens to be time-based (y/n) y
      https://www.google.com/chart?some-really-long-url-you-will-need-this
      Your new secret key is: ABCDEFGHIJKLMNOP 
      Your verification code is 000000
      Your emergency scratch codes are:
        00000000
        00000000
        00000000
        00000000
        00000000
      
      Do you want me to update your "/Users/<your-username>/.google_authenticator" file (y/n) y
      
      Do you want to disallow multiple uses of the same authentication
      token? This restricts you to one login about every 30s, but it increases
      your chances to notice or even prevent man-in-the-middle attacks (y/n) y
      
      By default, tokens are good for 30 seconds and in order to compensate for
      possible time-skew between the client and the server, we allow an extra
      token before and after the current time. If you experience problems with poor
      time synchronization, you can increase the window from its default
      size of 1:30min to about 4min. Do you want to do so (y/n) y
      
      If the computer that you are logging into isn't hardened against brute-force
      login attempts, you can enable rate-limiting for the authentication module.
      By default, this limits attackers to no more than 3 login attempts every 30s.
      Do you want to enable rate-limiting (y/n) y
    3. With a browser open the long URL. This will generate a QR Code. Scan the code using your favorite Google Authenticator App. I personally like Authy as it can sync between devices.
  7. Close all open SSH connections you may have with the server.
  8. From a client ssh into the host and voila, 2FA works 😀
    client.host:~ username$ ssh username@host.to.ssh
    Password:
    Verification code:
    Last login: Thu Dec  7 16:09:24 2017 from 192.168.2.1
    host.to.ssh:~ username$

References

The internet is nothing, if not for a bunch of really smart people that love to share their experiences and findings. I was able to get this to work thanks to these posts:

 

Leave a Reply

Your email address will not be published. Required fields are marked *