Skip to main content

Ian Vellosa

Using Google Authenticator to protect sudo on Raspberry Pi

5 min read

For a long time, I've been thinking that it would be nice to play around with two factor authentication (2FA) for the root account on my Raspberry Pi's. This week I've finally got around to doing it, and as with so many tasks on the Pi, once you get going it's pretty straight forward, with the google authenticator. 

The steps that I want to follow would be:

  • Create a standard user account, from which the sudo commands will be issued.
  • Block ssh access to the root user
  • Enable Google authenticator for sudo commands

Setting up sudo access

If you have not already created personal accounts on your box, run the adduser command:

adduser -u 1001 <user>

We will also need to make sure that the sudo command has been installed. Therefore, as root we will run the commands:

apt-get update

apt-get install sudo

Leaving the current terminal window running (we want to have one session logged in as root on the Pi until we are certain that everything is running properly) start a new terminal window and log in to the Pi as your personal user, then try out the sudo command:

ssh <user>@pi

sudo su -

This will initially as you for your personal password, after which it will fail with a message that looks something like:

<user> is not in the sudoers file. This incident will be reported.

Next edit the /etc/group file, finding the line starting sudo, and add your user id:

tape:x:26:

sudo:x:27:<user>

audio:x:29:

If there is more than one user id in the group, then they should be separated by commas.

Now if you attempt to run the sudo command again, you should be asked for your personal (not root) password, which when entered will give you root access to the box.

Removing root ssh access

Now that we are able to log onto the box with our personal account, and run the sudo command, we should block the root user from being able to ssh onto the box too. This is done simply by editing the file /etc/ssh/sshd_config, and changing the authentication section, which has a value PermitRootLogin which should be changed from yes, to no:

# Authentication:

LoginGraceTime 120

PermitRootLogin no

StrictModes yes

While we are modifying the sshd_config file, we will also ensure that the ChallengeResponseAuthentication flag is set to yes (default was no)

# Change to yes to enable challenge-response passwords (beware issues with

# some PAM modules and threads)

ChallengeResponseAuthentication yes

You will then need to restart the ssh service for this to take effect:

service ssh restart

Now if you try ssh'ing over to the box as root, you will find that Permission is denied, as if you have entered an incorrect password. However, you should be able to log in as your personal account still.

Adding Google Authenticator 2FA

Firstly, make sure that you have google authenticator (or compatable tool) installed on your phone.

Now we are going to install the application code on the Raspberry Pi, again this is done via apt-get:

apt-get install libpam-google-authenticator

Once the installation has completed, we are going to create a time based token which will be used for authentication, for this we run the command:

google-authenticator --secret=/root/<user>.google_authenticator

This will place the key to the time based 2FA key in the root users home directory. By default, if you do not specify the location for the secret it will be placed in a .google_authenticator file in the users home directory, which the user has full access to. I didn't want to do this, as once you have access to the user account, having the secret to 2FA readable does not add anything from the security stand point.

There are a number of questions asked of you when generating the authentication key, you can simply answer yes to all of these.

There are two ways you can setup the key in your phone, pressing the big plus symbol at the bottom of the screen starts this process. The first option would be to just scan the 3D barcode which is produced as part of the generation script. The second is to enter your new secret key via the keyboard. After doing this you should see a 6 digit number on your phone which changes every 30 seconds.

Finally, at the end of the files:

  • /etc/pam.d/su
  • /etc/pam.d/sudo

Add in the line:

auth required pam_google_authenticator.so user=root secret=/root/${USER}.google_authenticator

Now if you start a new session, logging into your pi as your personal user and run the sudo command, you should be asked first for your password, and then once this is successful you will be asked for the verification code from your authenticator app on the phone.

 

While putting together this guide, there were a couple of sources that helped:

  • How-To Geek had a nice write up of the basics, and
  • archlinux Wiki has a nice page describing the parameters that can be used when generating the key, and configuring the pam.