Looking at the current bugs and problems with passwords and authentification, everything is insecure – at least in theory. Believe me, as a sysadmin I have to say, “that sucks”. So I decided to choose “Plan G” which is the Google-Authenticator, a software token to extend our passwords by a new 6 digits number, pretty much like the RSA tokens do.

Good side here is, Google offers a PAM Module for their authenticator, which is damn flexible. Pretty fun if you think of PAM as being Plugable. To make use of it on a particular service, just look it up in /etc/pam.d and add one line to the file – i.e. the sshd authentication config:

auth required pam_google_authenticator.so nullok

What it does: SSH needs the authenticator now. The parameter ‘nullok’ is just a bypass in case you do not have it configured for every user of that service. Going in depth here would be endless. Just for the SSHd, don’t forget to enable ChallengeResponseAuthentication in its config!

The rest of the config is pairing Authenticator App on your mobile and the Google Authenticator program on your host. This is done by invoking it on the shell:

user $
google-authenticator