In Best Practices, Blog

Google Authenticator is pretty great. It allows me as an administrator to setup and configure multi-factor authentication into my UNIX boxes without having to spend money on a tool like YubiKey or RSA tokens. It’s easy to set up on any type of phone – no specialized hardware or dongles needed. It’s also pretty cool in that you don’t have to have network access from the server to the outside world. Since Google Authenticator is time-based, it doesn’t need to send an SMS or do a call out to a centralized server to get the current valid token.

We are particularly fond of Google Authenticator because we leverage it for our multi-factor auth within JumpCloud’s Directory-as-a-Service® platform. IT admins can set MFA access to the JumpCloud® user and admin consoles. Additionally, system level MFA can be instituted for Linux and Mac devices (Windows is coming soon!).

What is a bit painful, though, is having to have a different Google Authenticator token for every one of my servers. The standard setup would have you run the google-authenticator command on each and have as many tokens as you have servers. Obviously, this quickly becomes unwieldy and untenable.

Instead, I want to have one Google Authenticator token for multiple servers. Here’s how I installed and configured Google Authenticator on each system

First Machine 

My first machine I’m going to install Google Authenticator and create a secret key – the exact flow I’d use normally.

1 – Install Google Authenticator. This is pretty well documented, examples at untrusted connection and How-To Geek. I won’t walk through each step since this part varies from OS to OS – the rest of the steps are identical however.

$ sudo apt-get install libpam-google-authenticator
…

2 – Restart the ssh service

$ sudo restart ssh

3 – Run the google-authenticator command to generate a secret key for your account which you’ll store in your phone. This information will be stored in a configuration file that we’re going to get into later. I don’t need to comment that you actually have to enter the secret key into your phone, do I?

$ google-authenticator
Your new secret key is: HZGVGLVG2ES4N5DW
Your verification code is 352297
Your emergency scratch codes are:
45850250
14934076
63800816
93689045
82870703

4 – Give it a spin. From another shell go ahead and try it out.

$ssh topher@192.168.56.101
Password:
Verification code:
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.8.0-29-generic i686)

5 – Let’s take a look at the configuration file. We’re going to copy these contents to our other machines that we want to have the same secret key.

$ cat ~/.google_authenticator
HZGVGLVG2ES4N5DW
" TOTP_AUTH
45850250
14934076
63800816
93689045
82870703

Installing Google Authenticator On Additional Machines

For all other machines I’m going to install Google Authenticator as normal, but I’m going to use the secret key from the first machine. This will let me log into each of them using that same secret key that I stored from the first machine.

1 – Install Google Authenticator. Again, other places describe this in detail. We’re going to install the program but not do the creation of any secret keys

$ sudo apt-get install libpam-google-authenticator 
…

2 – Create the configuration file and add the content that we got from the other machine:

$ cat ->> ~/.google_authenticator
HZGVGLVG2ES4N5DW
" TOTP_AUTH
45850250
14934076
63800816
93689045
82870703
<ctrl-D>

3 – Set permissions for the configuration file.

$ chmod 400 ~/.google_authenticator

4 – Restart the ssh service.

$ service ssh restart

5 – Test the login

$ ssh topher@192.168.56.101
Password:
Verification code:
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.8.0-29-generic i686)

Voila! A shared Google Authenticator secret key across my servers! Happy day.

Recent Posts