How To: TOTP 2FA Linux SSH Using Google-Authenticator

Lock Tux

Using only a username and password for authentication is no longer secure. With user-database dumps reaching millions of exposed, albeit hashed and salted, passwords. Secure authentication should include not only something you know, but also something you have (in your pocket… always).

There have been several OTP and general 2FA solutions for Linux. From SMS (Text-me-a-password) to Yubikeys. There exists a Free (so far) TOTP (Time-Based One Time Password) solution from Google, called Google Authenticator.

Google Authenticator for iOS

It uses an App called Authenticator for iOS (and Android i presume) to “show” you the tokens, who live for 30 seconds each. There exists an even more awesome package for Debian and Ubuntu called google-authenticator, which allows you to easily set it up! The package also includes the necessary PAM module.

I have made the following steps on a Raspberry Pi, running Raspian.

  1. Install Google Authenticator
    pi@awesomebox ~ $ sudo apt-get install libpam-google-authenticator
  2. Run Google Authenticator
    pi@awesomebox ~ $ google-authenticator
    Do you want authentication tokens to be time-based (y/n) y
    ...BIG
    ......FANCY
    .........QR-CODE
    Your new secret key is: ZZZZZZZZZZZZZZZZ
    Your verification code is 123456
    Your emergency scratch codes are:
    11111111
    22222222
    33333333
    44444444
    55555555
  3. Scan the QR-CODE on screen with the Authenticator App
    Scanning...
  4. Answer yes (y)
    Do you want me to update your "/home/pi/.google_authenticator" file (y/n) y
    Do you want to disallow multiple uses of the same authentication token? (y/n) y
    By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. Do you want to do so (y/n) y
    Do you want to enable rate-limiting (y/n) y
  5. Add PAM module
    pi@awesomebox ~ $ sudo echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
  6. Enable “Challenge-Response Authentication” in SSH
    pi@awesomebox ~ $ sudo vi /etc/ssh/sshd_config
    Change entry ChallengeResponseAuthentication from no to yes.
  7. Restard SSH
    pi@awesomebox ~ $ service ssh restart
  8. Test it out
    Open up a new terminal window and ssh to your box as you normally would
    user@lazybox ~ $ ssh pi@awesomebox
    Password: [Enter password]
    Verification code: [Enter TOTP-token from App]

Happy TOTP-ing :)

iPhone App: Privacy PGP Messenger – Sending GPG/PGP Signed Email

Privacy PGP Messenger for iOS

Ever since I first dove down into the many protocol specifications of a typical email-setup. I noticed that there is very little (no) privacy, and (absolutely) no security.

Sure, most protocols can be “tunneled” through SSL/TLS in the Session and Presentation Layer. But how can you guarantee message integrity when it relays off to another server? In between datacenters and so on? And to think every message is stored in anything but cleartext, is wishful thinking.

Most clients support S/MIME, but is embarrassingly uncommon and terrible at presenting (attachment galore). GPG/PGP is in my opinion, albeit a little tricky, the ultimate privacy solution.

Privacy PGP Messenger Example

What about mobile clients you ask? One simple and very easy to use app for sending GPG/PGP signed email is Privacy PGP Messenger for iOS. It fetches the public key associated with the email address from a public keyserver (probably MIT), signs your message and uses your existing account in the Mail app to send.

It is generally recommended with GPG/PGP software that the private key associated with your email-address is kept Private. Preferably only one copy and stored offline. Therefore, this app is not a solution for Receiving signed email.

Happy Signing!

iPhone App: SMS Rage Faces – Fooling Around in iMessage

SMS Rage Faces: Main Screen SMS Rage Faces: Faces Selection
SMS Rage Faces: Camera Booth SMS Rage Faces: Camera Booth Example

SMS Rage Faces app for iPhone is a fun way to add a little touch to your text-messages, and fool around with pictures in your camera roll. And best of all, its completely free!

Features Include:

  • SMS Rage Faces in 45 categories, and 1400+ Faces in total
  • 170+ Camera Booth Objects
  • All images are optimized to fit into iMessage
  • Images are sent as PNG files
  • Images can be pasted into other iPhone apps (Not just iMessage!)

iPhone App: RedLaser – Scan QR & EAN-codes

RedLaser - Scan history log RedLaser - Scanning
RedLaser - QR-Code generation RedLaser - QR-code Generation, URL RedLaser - QR-Code generation, Final product

RedLaser app for iPhone is a secret weapon for the smart shopper – scan or search for items to make sure you have all the information you need, including product details, ratings and price comparison.

Features include:

  • QR and EAN-code scanning
  • Scan history log
  • URL, Info, Contact, Text and Location QR-code generation

iPhone App: WiFi Photo Transfer (Free) – Send iPhone photos over WiFi

WiFi Photo TransferSharing photos with an iPhone is easy. Just plug it into a Mac, PC or (depending on libimobiledevice) Linux. The phone should be, after a very unexciting driver install, recognized as some sort of digital camera or similar, by the system. The age of Wireless is here, and tangly wires should only be used for charging. This is were wireless technologies such as Bluetooth and WiFi come in.

WiFi Photo Transfer (Free) is a very useful application for iPhone that lets you transfer photos from your iPhone to your computer over WiFi. It does this by acting like a web-server on the device, and can be accessed by any computer on the network using a web-browser. Continue reading iPhone App: WiFi Photo Transfer (Free) – Send iPhone photos over WiFi