Google Ads
This is a transcript for a video linked here: Using Multi-Factor Authentication on Linux / Raspberry Pi with Google Authenticator
0:00:00.720,0:00:06.000 two-factor authentication multi-factor authentication and google authenticator 0:00:06.000,0:00:11.920 these are all variations on the theme they can significantly improve the security of your system 0:00:11.920,0:00:16.080 with no additional cost in this video i'm going to show you how you can use them to 0:00:16.080,0:00:21.680 secure ssh login to a linux computer including a raspberry pi iot device 0:00:25.120,0:00:30.720 i'm going to go over some of the reasons that it's such a good idea then i'll give a practical 0:00:30.720,0:00:36.320 example using google authenticator which i'm going to do on a raspberry pi and briefly 0:00:36.320,0:00:40.400 discuss some of the potential problems such as how to get in if you don't have your phone 0:00:42.560,0:00:44.560 and a couple of alternatives 0:00:47.760,0:00:51.280 i've already explained some of these problems with usernames and passwords 0:00:52.000,0:00:57.840 two of my earlier videos are shown here see the description with links to these videos 0:00:58.560,0:01:03.280 so i'm not going to repeat those but we'll say that multi-factor authentication is one 0:01:03.280,0:01:12.240 of the best ways of adding security that adds to the standard username and password security 0:01:12.240,0:01:18.800 so what is multi-factor authentication as its name suggests the aim of multi-factor or 0:01:18.800,0:01:24.880 two-factor authentication if you prefer is to add another step in the login process to make it more 0:01:24.880,0:01:30.640 difficult for hackers to get in there are some differences in that multi-factor authentication 0:01:30.640,0:01:35.920 could add even more steps rather than just the two but typically these refer to the same thing 0:01:35.920,0:01:42.000 and can often be used interchangeably let's show some good and bad examples 0:01:45.440,0:01:49.280 so the first factor is typically still your username and password 0:01:51.280,0:01:57.760 in the past then some sites may try and make it harder for attackers by adding additional check 0:01:59.200,0:02:03.920 for example your bank may have asked you for your place of birth or your mother's maiden 0:02:03.920,0:02:10.560 name this did add an extra level of security but it's information that hackers could find out 0:02:10.560,0:02:15.360 about potential victims particularly if you've have your social network profiles public 0:02:16.240,0:02:22.160 so it's not particularly good instead when we're talking about multi-factor authentication or 0:02:22.160,0:02:27.520 two-factor authentication it's usually about two different things one is something you have 0:02:28.320,0:02:29.920 and the other is something you know 0:02:33.120,0:02:40.080 in the physical world you can see a good example with chip and pin as used on credit cards or card 0:02:40.080,0:02:48.560 and pin used in an atm the something you have is your card this has information encoded in the 0:02:48.560,0:02:56.800 stripe or the chip as the first factor the thing you know is your pin number this means that even 0:02:56.800,0:03:03.840 if somebody steals your card then they cannot use it in an atm without also knowing the pin number 0:03:05.760,0:03:10.960 in the virtual world we can't rely on a card which could be spoofed but instead we can use 0:03:10.960,0:03:17.840 something you know which is the password which is typically used in the single stage authentication 0:03:21.120,0:03:26.800 the other thing almost everyone has is a mobile phone there are various ways we can 0:03:26.800,0:03:32.000 test if someone has a particular phone in their possession which usually involves either an sms 0:03:32.000,0:03:38.400 / text message or as i will demonstrate in this video using a smartphone app 0:03:40.480,0:03:44.960 the reason that this is more secure is that whilst the password can be guessed it would not 0:03:44.960,0:03:52.000 be possible to do so for a one-time code from a mobile phone on the other hand we wouldn't want to 0:03:52.000,0:03:57.200 use the phone alone as then if someone was able to steal that they would be able to log in using that 0:03:58.480,0:04:01.360 so even if the phone is locked in the case of text messages 0:04:02.160,0:04:05.680 they may be able to use the sim card in another phone for instance 0:04:06.560,0:04:13.840 so that way can they can still receive one-time codes so the password is still an important factor 0:04:15.920,0:04:20.720 the particular example i'm going to show here is for ssh logins to a linux computer 0:04:22.640,0:04:28.160 the reason this is useful is that ssh provides a way to manage the system from anywhere 0:04:29.920,0:04:34.240 but doing so exposes the system to password guesses and dictionary attacks 0:04:35.840,0:04:38.480 adding a second factor removes that exposure 0:04:40.400,0:04:45.040 what will happen is that when you try and log in and you use the normal username and password 0:04:46.160,0:04:50.480 assuming you are using that rather than key based authentication but i'm not going to go into that 0:04:50.480,0:04:57.920 here and if that is successful then you also need to validate using google authenticator from 0:04:57.920,0:05:05.360 your phone so i'm going to show here how you can install multifactor authentication specifically 0:05:05.360,0:05:12.320 google authenticator onto a linux computer in this case i'm going to be using a raspberry pi 0:05:13.360,0:05:18.480 but it could be any linux computer and the the instructions will be specifically for 0:05:18.480,0:05:25.680 debian based systems such as the raspberry pi this is going to secure ssh logins so 0:05:25.680,0:05:30.400 this mean that you can have ssh open to an insecure network such as the internet 0:05:31.120,0:05:38.880 and anyone having to log in via that method would have the second stage authentication 0:05:38.880,0:05:44.240 and need to be authenticated using google authenticator normally through your mobile phone 0:05:46.400,0:05:51.840 this is a linux computer that i'll be using to test the setup and to log in with 0:05:54.000,0:06:00.400 and this is the raspberry pi that i'll be configuring and logging 0:06:01.200,0:06:07.200 into i'm going to be doing this using the graphical screen but you don't need to that's 0:06:09.120,0:06:12.560 maybe something you need to do a little bit different which i'll explain later 0:06:13.200,0:06:20.320 if you don't have a graphical screen a monitor connected to your 0:06:20.320,0:06:23.200 computer that you wanted to secure the raspberry pi in my case 0:06:24.560,0:06:34.880 i'm going to first show how you can ssh without this in place so go to ssh to my raspberry pi here 0:06:35.440,0:06:44.240 i've used my own username so username stewart and then the ip address so this is a local ip address 0:06:45.440,0:06:52.000 that this is currently running on you use your whatever ip address has been allocated to your 0:06:52.000,0:07:00.560 computer or if it's connected to the internet then your forward facing internet address and 0:07:00.560,0:07:05.840 in this case it's just the normal password so that's how it's set up at the moment 0:07:07.920,0:07:15.840 i'm going to now change this so that it will add an additional stage when we log in so 0:07:16.400,0:07:21.520 you can do it through this but i'm going to exit this i'm going to switch back to 0:07:23.120,0:07:26.480 the actual raspberry pi itself and we're going to do the configuration on here 0:07:28.320,0:07:33.520 the first thing you'd probably want to do is actually not on the computer itself but go to the 0:07:34.880,0:07:41.600 appropriate store google play store or apple store and download 0:07:42.160,0:07:47.440 the google authenticator to your mobile phone and then we'll come back to that later 0:07:50.080,0:07:52.880 on here i'm going to start the terminal 0:07:55.520,0:07:59.520 i've got this quite large to make it easy to show 0:07:59.520,0:08:02.720 the commands but i will have to change the font size later 0:08:06.080,0:08:12.800 i'm going to do a quick update because i noticed that i've got some updates that are waiting so 0:08:12.800,0:08:18.560 i'm going to do an update and then upgrade and that's useful thing to do before most 0:08:20.000,0:08:25.840 installs whenever you wanted to install something new make sure you just up to the latest version 0:08:56.800,0:09:02.880 so now we've up to date i'll install the package that we need which is 0:09:04.720,0:09:13.040 through sudo apt install libpam-google-authenticator so 0:09:15.120,0:09:26.000 pam is the plugable authentication modules which is what's used by linux for logon authentication 0:09:30.640,0:09:37.680 so it is also asking to install a another package as well to do the encoding 0:09:38.240,0:09:41.440 but it doesn't take long to install that so that's now installed 0:09:46.160,0:09:50.320 and now we can pair this with our phone we can do 0:09:50.320,0:09:53.440 this using just type in google authenticator make sure you're 0:09:55.840,0:10:04.160 logged in as the user that you're wanting to authenticate with here you usually want time-based 0:10:04.160,0:10:13.120 tokens so yes to that and now what it's provided is a qr code so the problem is that it's using 0:10:13.120,0:10:19.840 the text terminal to do this but you're gonna have to set the font really quite small so 0:10:27.200,0:10:31.840 so mine's intentionally really big to make it easier for 0:10:32.800,0:10:38.480 seeing on the video i'm going to drop this down to about six i think it's probably going to be 0:10:42.080,0:10:49.200 so as you can see we've now got this qr code and what you can do is go into google authenticator 0:10:51.200,0:10:57.760 if this is the first time that you've used google authenticator then it'll ask you to add 0:10:58.400,0:11:05.200 a new one or if not then just hit the plus button choose scan a qr code and then if you 0:11:05.200,0:11:14.320 scan that with your phone it will connect it will give it the name of your host name and 0:11:15.040,0:11:21.920 it will basically have added it to the authenticator what you now need to do 0:11:24.560,0:11:32.080 what i'll now do is change the screen size so that we can see it better change that back to 22 0:11:35.600,0:11:37.840 and we don't need to see the the barcode anymore 0:11:40.240,0:11:45.760 and it says enter the code from the app so what you can do here is just to test that 0:11:45.760,0:11:55.840 it's paired properly is click on reveal the pin in the app and enter your code 0:12:04.720,0:12:11.040 okay so if you enter the code that gives you and it just changed between 0:12:12.000,0:12:18.640 entering that so it'll create this it gives you some emergency scratch codes now these 0:12:19.360,0:12:25.440 are something that you could print off say and keep somewhere safe it's important that if you do 0:12:25.440,0:12:31.360 use these you do need to keep them safe because if not then somebody can use those instead of 0:12:31.360,0:12:35.600 the authenticator but this is useful if you don't have your phone with you or you've got 0:12:35.600,0:12:40.880 problem with that and each of these can only ever be used once so if you use one 0:12:41.440,0:12:46.000 then that will just drop off the list and you can regenerate more if you need them 0:12:48.720,0:12:54.080 choose yes to update your google authenticator file 0:12:59.520,0:13:05.840 and there's a few questions it's going to ask now and these are minor little things that can 0:13:06.720,0:13:13.120 change the security level but only in a small way compared to the fact that we're adding multi-flag 0:13:13.120,0:13:19.840 to authentication these are quite small and it's down to your personal preference and situation 0:13:21.520,0:13:28.080 what you want to do here i'm going to say that i'm going to allow multiple 0:13:28.080,0:13:33.680 users so that means you can log on twice at the same time so i'm going to use now 0:13:36.000,0:13:47.840 then this is possible time differences between say your phone and the system that you're running in 0:13:48.960,0:13:51.360 if you say yes then it's going to allow 0:13:53.600,0:14:01.840 a lot more codes than otherwise but it's only a very small thing 0:14:03.200,0:14:10.480 and you can put rate limiting on to prevent people doing multiple logging attempts i think 0:14:10.480,0:14:15.840 that's quite useful thing if you haven't already got something on your system that restricts that 0:14:16.800,0:14:25.440 so which is yes and then that's it set up now i'll just show you the alternative 0:14:25.440,0:14:33.600 if you are on a console and you're not able to shrink that qr code down for whatever reason to 0:14:33.600,0:14:40.320 so that you can use the qr code so if we just go through the same process again we've also got this 0:14:40.320,0:14:50.800 secret key here so if you click the plus on your google authenticator enter a setup key you can 0:14:52.080,0:14:59.920 add your account name here so you put in here a name that it relates to the name of your system 0:15:03.600,0:15:07.520 and then you put in this key so obviously this is going to be 0:15:09.920,0:15:14.320 take a little bit longer than just scanning the bar code so just do that 0:15:15.280,0:15:16.880 if i enter that and then try that 0:15:23.440,0:15:27.360 you see that works as well in exactly the same way i'm not going to save this one because i'm going 0:15:27.360,0:15:34.080 to use the one that i used with the barcode instead so i'll just say no at this point 0:15:36.240,0:15:44.400 so now we've installed it we've just created the authenticator but now we need to choose what 0:15:44.400,0:15:50.560 services that have to authenticate on this and say on this one i'm just going to be using ssh 0:15:50.560,0:15:56.080 which is probably quite a useful one because it prevents people getting that console access and 0:15:57.280,0:15:58.560 secures your system in that way 0:16:01.600,0:16:10.320 so we do that by updating the pam pluggable authentication modules and we do that so 0:16:12.800,0:16:15.920 i'm just going to have to do this as pseudo because we're doing this 0:16:15.920,0:16:25.280 as root for all the systems i'm using the vi editor but you can use whatever editor you prefer 0:16:28.960,0:16:36.320 and it's so it's in the the pam configuration file directory and it's the sshd 0:16:36.320,0:16:40.960 file that we're going to edit i'm going to just go straight to the bottom of this file 0:16:41.600,0:16:50.080 and then after this so this is saying use the common password method we're going to add auth 0:16:50.080,0:17:01.040 required pam_google_authenticator.so which is the library file that is used i'm going to put nullok 0:17:03.200,0:17:06.400 but this option depends upon what you want to do 0:17:08.320,0:17:12.560 when you're putting nullok what that means is that if you've set up google authenticator 0:17:12.560,0:17:17.760 for that account then you must use google authenticator if you've got another account 0:17:17.760,0:17:24.080 which has not been set up for google authenticator then you will just have the single stage password 0:17:24.080,0:17:31.840 authentication so depends on the the security you want on your system 0:17:33.040,0:17:40.880 i'm going to put nullok and so i'm only using this one username anyway but if you wanted to 0:17:40.880,0:17:46.480 lock it down further just remove that part and then i'm just going to save that 0:17:51.120,0:17:57.360 i now also need to update ssh so that that's going to use that module as well 0:17:58.560,0:18:07.760 so this is the slash htc slash ssh slash sshd config the standard configuration file for ssh 0:18:09.360,0:18:13.840 and i'm going to search for challenge response 0:18:17.680,0:18:21.520 and we find this entry here change response authentication no 0:18:22.960,0:18:27.840 and we just need to change that to yes 0:18:29.920,0:18:41.840 save and quit and now restart the sshd daemon 0:18:44.880,0:18:50.240 and that's it so that's now fully set up so if i go into my other computer i'll just move that out 0:18:50.240,0:18:58.720 the way and we can try that ssh locking again so remember before it lets us just use the password 0:19:00.000,0:19:04.640 i'm going to do the same so it's asking for my password as it did before 0:19:06.960,0:19:12.480 but now it's looking for this verification code and this is the second stage so go to my phone 0:19:14.720,0:19:15.280 reveal the 0:19:18.240,0:19:24.240 pin and then just type that in 0:19:24.240,0:19:31.520 and then we're logged in that's the setup complete so it wasn't too laborious but now that we've got 0:19:31.520,0:19:37.280 it set up literally it's a case of just having your phone with you using your password and then 0:19:37.280,0:19:42.320 adding that code as well so it's still quite easy to log on as long as you've got your phone with 0:19:42.320,0:19:46.800 you remember if you haven't got your phone with you you've got those emergency codes preferably 0:19:47.680,0:19:54.240 you've locked those in a safe or something there so that those cannot be used by anybody else 0:19:56.160,0:20:01.200 there are some potential problems to use in google authenticator 0:20:03.440,0:20:06.960 the main problem is if you forget lose or break your phone 0:20:10.000,0:20:13.760 unfortunately that means you can't use it to authenticate 0:20:15.120,0:20:20.160 you may have a copy of the temporary codes that were generated which could be used although that 0:20:20.160,0:20:26.000 then adds a potential way that a hacker could get in if they are able to steal those if this happens 0:20:26.000,0:20:29.680 then you may need to get someone to log in and issue you with a temporary code 0:20:30.400,0:20:35.840 or you may need to physically log into the computer alternatively you could use a service 0:20:35.840,0:20:40.880 which gives you a different alternatives such as using sms or phone call verification 0:20:43.760,0:20:50.480 so there are other alternatives i'm just going to show one which is twilio authy this 0:20:50.480,0:20:54.960 is a commercial service which you could use it has different pricing structures 0:20:54.960,0:21:01.920 which does include a free option there are several other alternative products though and note that 0:21:01.920,0:21:07.520 whilst i do use google authenticator myself i've not used any of these other services and 0:21:07.520,0:21:11.600 i'm not sponsored by any of these so it's just something you may want to look into 0:21:12.800,0:21:18.160 in summary this is explained why multi-factor authentication is important and shown how this 0:21:18.160,0:21:23.520 can be implemented using google authenticator i'd be interested in hearing if you've implemented 0:21:23.520,0:21:28.880 google authenticator or any of the other two-factor authentication apps or services 0:21:29.520,0:21:33.840 please drop a comment below to let me know if you found this useful please 0:21:33.840,0:21:37.520 give the video a like so that others get to see the video please subscribe 0:21:37.520,0:21:43.840 to see future videos thanks for watching and look forward to seeing you on a future video
