Site Map - skip to main content

Hacker Public Radio

Your ideas, projects, opinions - podcasted.

New episodes every weekday Monday through Friday.
This page was generated by The HPR Robot at

hpr1161 :: PAM Two Factor Auth SSH

Pluggable Authentication Modules and two-factor authentication with SSH

<< First, < Previous, , Latest >>

Hosted by Beto on 2013-01-14 is flagged as Explicit and is released under a CC-BY-SA license.
ssh, authentication, two-factor authentication, google-authenticator. 2.
The show is available on the Internet Archive at:

Listen in ogg, spx, or mp3 format. Play now:

Duration: 00:48:42


Thank you to Broke For Free and for their Creative Commons album Broke For Free: Slam Funk, which was used during this latest show at

Good sources of information for PAM
Overview of PAM Security
  • Definition: Presenting two or more from something you have, something you know, and something you are.
  • Centos /etc/pam.d/
  • Debian /etc/pam.d/ (common-auth exists in Debian and its a system wide security implementation for all pam.d applications)
Google Two Factor Authentication
General Instructions
  • Install git, gcc, and make on your system
    $ apt-get install git make gcc
    $ yum install git make gcc

  • Execute git command as noted on google's site:
    $ git clone
  • Compile and install the google two factor auth PAM module and application
    $ cd google-authenticator/libpam/
    $ make install

  • Add the following lines to the /etc/pam.d/sshd
    auth required

  • Location of SSH server configurations

  • Add/modify the following stanza to SSH server configuration:
    ChallengeResponseAuthentication yes

  • Create Google two factor profile for SSH user and answer the setup questions based off your preferences
    $ google-authenticator

  • Restart SSH server
    $ service ssh restart (on CENTOS try $ service sshd restart)
Wrap Up
  • In Debian based systems you can comment out the system wide common-auth by simply adding a # to the beginning of the @include common-auth.
  • If you want to use google two auth with other applications simply add it to the appropriate /etc/pam.d/ file
  • Other useful PAM modules include the Barada module: libpam-barada (OTP with Android Client), pam_winbind (Samba Active Directory authentication module), and many more.
  • Make sure you have dual SSH connections and are sudo or su as a privileged user. Also make sure any files you configure today are backed up before you edit them.
  • When setting up Two Factor Auth profiles, go into cleanup mode to ensure you don't use the QR code url where it can be later retrieved from your url history. Also make sure you cleanup your command line and clipboard history so that emergency scratch codes and secret keys can't be found by wondering eyes.
Podcasts worth mentioning.


Subscribe to the comments RSS feed.

Comment #1 posted on 2013-01-15 23:37:05 by pokey

This one was awesome!

This is what Hacker Public Radio is all about. Well done, Beto, and thank you.

Comment #2 posted on 2013-01-20 16:07:46 by Ken Fallon

Google Service

Hi Beto,

Great show by the way. I had been looking into it myself but wasn't clear about something. Wouldn't it be possible for someone in Google to access your server as they maintain the key ? Not saying they would or anything but could you go into the privacy and security implications of this.


Leave Comment

Note to Verbose Commenters
If you can't fit everything you want to say in the comment below then you really should record a response show instead.

Note to Spammers
All comments are moderated. All links are checked by humans. We strip out all html. Feel free to record a show about yourself, or your industry, or any other topic we may find interesting. We also check shows for spam :).

Provide feedback
Your Name/Handle:
Anti Spam Question: What does the letter P in HPR stand for?
Are you a spammer?
What is the HOST_ID for the host of this show?
What does HPR mean to you?