Set Up Google Authenticator for Shell Access

Shell access is the most intrusive access to our servers. If a hacker gains shell access, there is the potential for maximum damage. To mitigate this, we are currently recommending that users secure their access with an additional security feature, a one-time password entry using Google's authenticator. This applies only for access to the server shell.

At some point in the future, all users will be required to use this additional feature.

If you are using this additional feature, connecting to shell will require your TU username/password and the verification code that appears on your smartphone and changes every 30 seconds. This code is the result of a calculation whose input is the time/date and a one-time secret key. The smartphone need not be on-line to use this feature. This verification code can be avoided by setting up public/private keys (see Setting Up a Trusted Computer).

The setup involves two steps: (1) generating the secret key on shell and (2) copying it to your device.

Install the Google Authenticator app on your Android or iOS device, then log into shell. Run the command google-authenticator on shell. You will be asked several questions, all of which you should answer with a y. Proceeding slowly, answer the first question with a y. This yields several items in the following order: a URL, a QR barcode, the secret key, a verification code, then several emergency scratch codes. The secret key can be copied into your smartphone via the barcode, via the URL, or directly, as follows.

On your smartphone, open Google Authenticator > setup account > scan barcode and scan the barcode. If you are having difficulty scanning the barcode from your shell session, paste the URL into a web browser and scan the barcode from the resulting web page. If you're still having difficulty, type the secret key directly into the smartphone. It goes without saying that the secret key should never be entered into e-mail or other medium. If you have done so, then repeat all the steps and create a new secret key, overwriting the previous key.

That's all there is to it. Whenever you connect to shell, you will first be asked for the verification code that appears on your smartphone, then for your TU credentials.

To remove this feature and go back to just TU credentials, delete or rename the file ~/.google_authenticator in shell. If you change smartphones or use several smartphones, the secret key -- stored in the file ~/.google_authenticator -- may be entered manually into the smartphone.

It's important to test that your setup succeeded and you can log in with the verification code before you close all connections to shell, otherwise you risk being locked out. The scratch codes may be used in the emergency that you lose your smartphone. Store them in a safe place.