All geek questions in one place

2-factor authentication (2-step verification) with the Google compute engine

Is it possible to enable two-factor authentication (or two-step authentication in the style of Google terminology) for the Google computing engine? I am interested in protecting my virtual machines, cloud storage and developer console.

I tried to use Google Authenticator (libapm) with a link to this article. Protecting SSH with two-factor authentication using Google Authenticator in a virtual machine, but it failed (I was able to log in using the gcloud calculation shell without additional code).

[Jan 12] Some updates: Google Developer Console is working fine. Thank you

For a two-step verification with access via SSH from the computing engine, I repeated everything again. Followed the instructions provided in the provided links and did the following:

  • I created a new Google-Cloud project.
  • I used 2 different OS instances - Debian 8.2 and Ubuntu 15.10.

All these tests failed - there was no request for a verification code. I looked in the Google Compute Engine documentation and they explicitly mention that they only support certificate authentication (and not username / password), so I can’t check if this is the main reason.

Is there anyone using two-step verification with the Google Compute-Engine?

thanks

+7
source share
2 answers

Finally a solution (thanks for supporting Google Cloud).

A few updates at the top of the document I talked about:

In addition to adding a line to /etc/pam.d/sshd , you should also comment on the @include common-auth line. Therefore, it should be something like:

auth required pam_google_authenticator.so # from the original instructions # @include common-auth # commenting out is new...

In addition to changing the ChallengeResponseAuthentication property in / etc / ssh / sshd_config , you must also add AuthenticationMethods publickey, which is keyboard-interactive in the following line:

 ChallengeResponseAuthentication yes # from the original instructions AuthenticationMethods publickey,keyboard-interactive # this is new...

Of course, this applies to the usual instructions for installing libpam-google-authenticator, changing sshd and sshd_config (as mentioned above), restarting the ssh / sshd service, and setting up google authenticator for the account.

Finally, a few more points:

  • Observe this carefully - after restarting the ssh / sshd account, no one can log in without the proper 2FA. Therefore, make sure that anyone who needs access to ssh has configured it correctly.
  • I am considering whether this is a suitable solution for us, since it requires the installation of virtual machines (each individual virtual machine) and manual authentication settings for each account and each virtual machine manually. Not sure how scalable this alternative is. I would be grateful for your thoughts ...
  • Last, but not least, the installation of the libpam-google authenticator can be simplified with apt-get, without having to manually install all the dependencies and create it. Worked for me by running:

    sudo apt-get install libpam-google-authenticator

Good luck

+5
source

Source: https://habr.com/ru/post/1239116/

More articles:


All Articles