------------------------
                        SSH Google Authenticator
                             Debian Jessie
                        ------------------------

May 17, 2016

This process will setup sshd to require 2-step verification using the
Google Authenticator app.

 1. Install the google-authenticator PAM module
    apt-get install libpam-google-authenticator

 2. Setup a directory for user keys
    mkdir /etc/google-authenticator
    chmod 711 /etc/google-authenticator
    mkdir /etc/google-authenticator/<SomeSecretName>
    chmod 711 /etc/google-authenticator/<SomeSecretName>

 3. Create a directory for each user's key file
    mkdir /etc/google-authenticator/<SomeSecretName>/<TheUser>/
    chown <TheUser>:<TheirGroup> /etc/google-authenticator/<SomeSecretName>/<TheUser>/
    chmod 700 /etc/google-authenticator/<SomeSecretName>/<TheUser>/

 4. Generate a key for the user running google-authenticator, and follow 
    the prompts.

    google-authenticator

    Do you want authentication tokens to be time-based (y/n) y

    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    The token information prints here with a QR code, secret key,
    verification code, and emergency scratch codes.
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    Do you want me to update your "/root/.google_authenticator" file (y/n) y

    Do you want to disallow multiple uses of the same authentication
    token? This restricts you to one login about every 30s, but it increases
    your chances to notice or even prevent man-in-the-middle attacks (y/n) y    

    By default, tokens are good for 30 seconds and in order to compensate for
    possible time-skew between the client and the server, we allow an extra
    token before and after the current time. If you experience problems with poor
    time synchronization, you can increase the window from its default
    size of 1:30min to about 4min. Do you want to do so (y/n) n

    If the computer that you are logging into isn't hardened against brute-force
    login attempts, you can enable rate-limiting for the authentication module.
    By default, this limits attackers to no more than 3 login attempts every 30s.
    Do you want to enable rate-limiting (y/n) y

 5. Optionally, edit ~/.google_authenticator to remove the scratch codes

 6. Send the user their key information

 7. Copy the key from your home directory to their key directory
    mv ~/.google_authenticator /etc/google-authenticator/<SomeSecretName>/<TheUser>/google_authenticator
    chown <TheUser>:<TheirGroup> /etc/google-authenticator/<SomeSecretName>/<TheUser>/google_authenticator

 8. Modify /etc/pam.d/sshd so <SomeSecretName> cannot be read
    chmod 600 /etc/pam.d/sshd

 9. Edit /etc/pam.d/sshd and directly under

    @include common-account'

    add the line:

    auth required pam_google_authenticator.so secret=/etc/google-authenticator/<SomeSecretName>/${USER}/google_authenticator

10. Modify /etc/ssh/sshd_config and enable:

    ChallengeResponseAuthentication yes

11. Optionaly, disable public keys based login in the sshd_config:

    RSAAuthentication no
    PubkeyAuthentication no

12. Restart sshd
    service ssh restart