So I decided to play a little bit with google authenticator on my systems that are visible to the internet. ie my linode, Panix v-colo and ‘bastion’ host at home.
The way sshd works, if you authenticate with public keys then PAM “auth” doesn’t seem to get called. So this is pretty much for “ChallengeResponse” (instead of “password”) authentication. Which makes it great for my need; if I’m coming from one of my own machines with my SSH key then I’m not impacted. If I’m coming in from someone elses machine then I need to know my password and the one-time-password.
Now on these hosts the only account’s with a valid password are my own
and root and sshd is configured to not allow passwords for root (ssh
keys only). I also run sshd on a non-standard port and this has stopped
dead random password hack attempts. And no one is trying to attack me
(I don’t run any popular blog; I’m not a bank, I’m not a target). So,
in practice, google authenticator doesn’t really add anything for me.
But it was interesting to play with.
(Of course if I’m away from my machine and my phone then I have a problem!)