Scalability Blog
Scaling tips, insights, updates, culture, and more from our Server Experts.
 
21
Feb
2013
 
Posted by

Implementing TOTP Authentication Into Your Infrastructure

We have previously covered how to add Time-based One-time Password Algorithm (TOTP) on your mobile device.  Now we can implement SSH access with TOTP. It is more secure to use public key authentication, and disable any password and challenge-based authentication for SSH. However, there are times when you have to have access to your server but you don’t have your public keys with you. In this case, we’ll need to allow root level login and secure it with a time-based passcode.

Make sure to sync your server’s clock and start ntpd :

# killall -9 ntpd && ntpdate -b -v 0.pool.ntp.org && service ntpd start

Now we’ll need to install git, pam-devel, and fetch the libpam code:

# yum –y install git pam-devel
# git clone https://code.google.com/p/google-authenticator/ /root/ga

Cloning into '/root/ga'...
remote: Counting objects: 1048, done.
remote: Finding sources: 100% (1048/1048), done.
remote: Total 1048 (delta 504)
Receiving objects: 100% (1048/1048), 2.27 MiB | 1.09 MiB/s, done.
Resolving deltas: 100% (504/504), done.

# cd /root/ga/libpam && make && make install

After all is done, you’ll have two files installed: /lib64/security/pam_google_authenticator.so and /usr/local/bin/google-authenticator

Modify /etc/pam.d/sshd and add the following line as the first entry:

auth required pam_google_authenticator.so

pam-google
Add the necessary modifications to SSH config and restart the daemon:

PermitRootLogin yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes

Now run google-authenticator and generate your securitykey:

run-google-security-key

You can add the QR code to your mobile device from link above:

qr-code

As you can see the secretkey that was generated is “4V5OYJGQ5PIZXINF”. To get a real-time passcode you can use the following Python code:

import hmac, base64, struct, hashlib, time

def get_hotp_token(secret, intervals_no):
    key = base64.b32decode(secret, True)
    msg = struct.pack(">Q", intervals_no)
    h = hmac.new(key, msg, hashlib.sha1).digest()
    o = ord(h[19]) & 15
    h = (struct.unpack(">I", h[o:o+4])[0] & 0x7fffffff) % 1000000
    return h

def get_totp_token(secret):
return get_hotp_token(secret, intervals_no=int(time.time())//30)

my_secret = ‘4V5OYJGQ5PIZXINF’
my_token = get_totp_token(my_secret)

print my_token

 

You can either use your mobile phone (Android, iOS, Blackberry), or a standalone application to generate the passcodes:

generate-passcodes

If you entered an incorrect TOTP passcode but still got the correct password, the system would not let you logon, and generate an error in /var/log/secure :

sshd(pam_google_authenticator)[23225]: Invalid verification code
It is worth mentioning that you could migrate the /root/.google_authenticator file to all of your servers and use the same passcode.  The file contains the secretkey and emergency scratch off codes that should be written down somewhere safely:

# cat /root/.google_authenticator
4V5OYJGQ5PIZXINF
" RATE_LIMIT 3 30 1356890982 1356891010
" WINDOW_SIZE 17
" DISALLOW_REUSE 45229700
" TOTP_AUTH
17744140
47270588
95085783
61291563
70584902

 

If you ended up using one of the scratch off keys, the file will be automatically updated on the server where you used it.  For example, if you used “17744140” to login, the PAM module would delete that key and it would not be re-usable:

# cat /root/.google_authenticator
4V5OYJGQ5PIZXINF
" RATE_LIMIT 3 30 1356891395
" WINDOW_SIZE 17
" DISALLOW_REUSE 45229700
" TOTP_AUTH
47270588
95085783
61291563
70584902

You can also add your own scratch off key to the list, but keeping the list short is a good security practice.

Now that you have enabled challenge response authentication, you would need to modify your SFTP settings to “interactive” if you are using an SFTP client like FileZilla.

You will be prompted for the verification code upon connection:

prompted-verification-code

After entering verification code and password, the system will let you login:

system-login

WordPress with TOTP Authentication

Now that you have secure access to your files and command shell, we can also secure access to your WordPress administrative area.

Make sure to sync the clock on the webserver and your device where you’ll be generating the TOTP code.

# killall -9 ntpd && ntpdate -b -v 0.pool.ntp.org && service ntpd start
The plugin can be downloaded from http://downloads.wordpress.org/plugin/google-authenticator.0.43.zip or installed directly from WP Plugins menu:

Simply search for ‘google authenticator’ and install it directly:

wordpress-google

Activate the plugin and navigate to Users -> Your Profile:

activate-google-authenticator-wordpress

Make sure to generate your QR code and add it on your phone or desktop device :
generate-qr-code

Check “Active” box, and if your server does not have a reliable time syncing, check ‘Relaxed mode’.

To finalize changes, click “Update Profile” on the bottom, and you are done.

Now your WordPress Admin area is more secure :

wordpress-admin