Playing with Google Authenticator and Oracle Cloud – Securing SSH to Oracle account with two factor authentication

The Requirement

Increase security when connecting via SSH to the Oracle OS account at Oracle Cloud by implementing two factor authentication (TFA or 2FA).

The Environment

  • Oracle Cloud Instance
  • OS: Oracle Linux 6.9

The Implementation

For this exercise we will implement Google Authenticator as our TFA solution in our Oracle Cloud Instance and configure it to secure the Oracle OS account.

Note: Google Authenticator doesn’t connect to Google when authenticating — all the work happens on your SSH server and your phone. Google Authenticator is a open-source software, that means you can check the codes yourself.

Step 1 – Install dependencies for Google Authenticator Module

The first step would be to connect to your server, in this case our Instance at Oracle Cloud as root and as shown bellow install the required dependency package  “pam-devel”, by running:

$ yum install pam-devel

1

Step 2: Download Google Authenticator Module

You can find the open source of Google Authenticator here https://github.com/google/google-authenticator and compile it yourself, or download the compiled and ready to use version here http://dl.fedoraproject.org/pub/epel/6/x86_64/Packages/g/google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm .

At my case, I decided to download the compiled version as bellow:

$ wget http://dl.fedoraproject.org/pub/epel/6/x86_64/Packages/g/google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm

Wget

Step 3: Install the Google Authenticator Module

Install the downloaded  Google Authenticator module by issuing the tar command as shown bellow:

$ rpm -ivh google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm

Rpm

Step 4: Run and configure Google Authenticator

The next steps to install Google authenticator for the Oracle OS user account. So, for this we will need to:

  1. Connect to the Oracle account by issuing su – oracle
  2. Execute the command google-authenticator as oracle
  3. Enter y [yes] when asked to update your “~/.google_authenticator” file
  4. Enter y [yes] when asked to disallow multiple uses of the same authentication
    token
  5. Enter y [yes] when asked to confirm that tokens are good for 30 seconds and in order to compensate for
    possible time-skew between the client and the server
  6. Enter y [yes] when asked to limit attackers to no more than 3 login attempts every 30s

Installing

Note 1: Please save the Secret Key due that we will require it later

Note 2: Save the emergency scratch codes, due that you never know when you will require one 😉

Note 3: Please keep the page with the secret code open, if not the key will not work when entering it to the app later – if closed just connect to user Oracle and run the command to install and configure google authenticator again (step 4).

Step 5: Configure SSH to use Google Authenticator PAM Module

Connect as root again and open your PAM configuration file /etc/pam.d/sshd (Using vi /etc/pam.d/sshd), then add the following line at the top of the file:

auth required pam_google_authenticator.so

Pam

Next up, open your SSH configuration file /etc/ssh/sshd_config (using vi /etc/ssh/sshd_config), and modify the line containing ChallengeResponseAuthentication no:

ChallengeResponseAuthentication no
(change it to)
ChallengeResponseAuthentication yes

10

To have these changes take effect, restart SSH server using one of the bellow commands:

service ssh restart
(or)
service sshd restart
(or)
/etc/init.d/ssh restart
(or)
/etc/init.d/sshd restart

Why showing 4 commands? Because depending on your Linux distribution, some refers SSH Daemon as SSHD, some as SSH, some got service module installed, some requires you to go into /etc/init.d folder and restart SSH service manually.

11

Note: Do not forget to set a password to the user Oracle if not done previously.

$ passwd oracle

Step 6: Configure your SmartPhone for Google Authenticator App

Now is time to install the Google Authenticator app on your phone and configure it. You can download it from:

More detailed per device install instructions can be found on this page:

Assuming you managed to install the App properly, Launch your Google Authenticator app in your SmartPhone (My example would be with iOS).

Click on Begin Setup at the bottom of the screen and select Manual Entry.

Image1

Enter an Account Name that would easily identify it for you, and enter the Secret Key generated  when you installed and configured Google Authenticator on step 4, then click ok on the top right of the screen.

Image2

Now you are ready to use it 🙂

Image3

 

Step 7: Test Connectivity

Now connect to your Oracle account in your server via ssh, and enter your Google Authentication code show on your app and then enter your password for your Oracle user and, DONE!

14

Have fun, Francisco Munoz Alvarez

Leave a Reply