The Requirement
Increase security when connecting via SSH to the Oracle OS account at Oracle Cloud by implementing two factor authentication (TFA or 2FA).
The Environment
- Oracle Cloud Instance
- OS: Oracle Linux 6.9
The Implementation
For this exercise we will implement Google Authenticator as our TFA solution in our Oracle Cloud Instance and configure it to secure the Oracle OS account.
Note: Google Authenticator doesn’t connect to Google when authenticating — all the work happens on your SSH server and your phone. Google Authenticator is a open-source software, that means you can check the codes yourself.
Step 1 – Install dependencies for Google Authenticator Module
The first step would be to connect to your server, in this case our Instance at Oracle Cloud as root and as shown bellow install the required dependency package “pam-devel”, by running:
$ yum install pam-devel
Step 2: Download Google Authenticator Module
You can find the open source of Google Authenticator here https://github.com/google/google-authenticator and compile it yourself, or download the compiled and ready to use version here http://dl.fedoraproject.org/pub/epel/6/x86_64/Packages/g/google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm .
At my case, I decided to download the compiled version as bellow:
$ wget http://dl.fedoraproject.org/pub/epel/6/x86_64/Packages/g/google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm
Step 3: Install the Google Authenticator Module
Install the downloaded Google Authenticator module by issuing the tar command as shown bellow:
$ rpm -ivh google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm
Step 4: Run and configure Google Authenticator
The next steps to install Google authenticator for the Oracle OS user account. So, for this we will need to:
- Connect to the Oracle account by issuing su – oracle
- Execute the command google-authenticator as oracle
- Enter y [yes] when asked to update your “~/.google_authenticator” file
- Enter y [yes] when asked to disallow multiple uses of the same authentication
token - Enter y [yes] when asked to confirm that tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server - Enter y [yes] when asked to limit attackers to no more than 3 login attempts every 30s
Note 1: Please save the Secret Key due that we will require it later
Note 2: Save the emergency scratch codes, due that you never know when you will require one 😉
Note 3: Please keep the page with the secret code open, if not the key will not work when entering it to the app later – if closed just connect to user Oracle and run the command to install and configure google authenticator again (step 4).
Step 5: Configure SSH to use Google Authenticator PAM Module
Connect as root again and open your PAM configuration file /etc/pam.d/sshd (Using vi /etc/pam.d/sshd), then add the following line at the top of the file:
auth required pam_google_authenticator.so
Next up, open your SSH configuration file /etc/ssh/sshd_config (using vi /etc/ssh/sshd_config), and modify the line containing ChallengeResponseAuthentication no:
ChallengeResponseAuthentication no
(change it to)
ChallengeResponseAuthentication yes
To have these changes take effect, restart SSH server using one of the bellow commands:
service ssh restart
(or)
service sshd restart
(or)
/etc/init.d/ssh restart
(or)
/etc/init.d/sshd restart
Why showing 4 commands? Because depending on your Linux distribution, some refers SSH Daemon as SSHD, some as SSH, some got service module installed, some requires you to go into /etc/init.d folder and restart SSH service manually.
Note: Do not forget to set a password to the user Oracle if not done previously.
$ passwd oracle
Step 6: Configure your SmartPhone for Google Authenticator App
Now is time to install the Google Authenticator app on your phone and configure it. You can download it from:
- Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
- iOS: https://itunes.apple.com/au/app/google-authenticator/id388497605?mt=8
- Blackberry: http://www.google.com/mobile/other
More detailed per device install instructions can be found on this page:
Assuming you managed to install the App properly, Launch your Google Authenticator app in your SmartPhone (My example would be with iOS).
Click on Begin Setup at the bottom of the screen and select Manual Entry.
Enter an Account Name that would easily identify it for you, and enter the Secret Key generated when you installed and configured Google Authenticator on step 4, then click ok on the top right of the screen.
Now you are ready to use it 🙂
Step 7: Test Connectivity
Now connect to your Oracle account in your server via ssh, and enter your Google Authentication code show on your app and then enter your password for your Oracle user and, DONE!
Have fun, Francisco Munoz Alvarez
Thanks for this, great blog with clear steps to follow. One question, does this only work in Cloud environments or is it possible to use in an On Premise setup also? And also for various other users?
Thanks
David
Hi David, Thank you so much for your kind words. Regarding your question it can be implemented on any Cloud environment and on premise also. I have implemented on many on premises environments before with success . You can implement it to any OS user and also use the same authentication on diferente servers by installing everything on the other servers and copying your initial .google_authenticator file to the servers . This way you can use your code to access all your servers instead to have a code to each one .
Hope this helps, Francisco