2 factor authentication (2 step verification) with Google compute engine

7
votes

Is there a possibility to enable 2 factor authentication (or 2 step verification a-la Google terminology) for Google compute engine? I'm interested in protecting my VMs, cloud storage and the developers console.

I've tried using the Google Authenticator (libapm) referring to this article Securing SSH with two factor authentication using Google Authenticator on a VM but it didn't succeed (I managed to login with the gcloud compute shell with no additional code).

[Jan 12th] Some updates: Google developer console works perfectly. Thanks.

For 2-step verification with the compute-engine SSH access, I retried everything all over again. Followed the instructions mentioned in the links provided, and did the following:

  • I created a new Google-Cloud project.
  • I used 2 different OS instances - Debian 8.2 and Ubuntu 15.10.

All of these tests failed - there was no prompt for a verification code. I looked around in the Google compute-engine documentation, and they mention explicitly they support only certificate authentication (rather than username/password), so I cannot verify whether this is the root cause.

Is there anyone using 2-step verification with Google compute-engine?

Thanks

1
google-compute-engine
The feature to enabled 2 factor authentication in Google Cloud Developer Console is currently not available. Feel free to file a feature request through this link (code.google.com/p/google-cloud-platform)Faizan
Thanks, that confirms my assumption with regards to the developer console. Does anyone have any experience with enabling it on VMs?Homer
@Homer are you getting any error message with the Google Authenticator?George
@George no, there's no error. Running the process works - I'm getting the dialog, and it completes successfully (I receive the codes). When I try logging in I'm logging in directly without any additional verification.Homer
Update - 2FA for the console does work. The account is the same Google account, so if one activates 2FA - it applies for the console as well.Homer

1 Answers

5
votes

At last - a solution (thanks for Google cloud support).

A couple of updates on top of the document I have referred to:

Apart of adding a line to /etc/pam.d/sshd, one should also comment out the @include common-auth line. So it should be something like:

auth       required     pam_google_authenticator.so # from the original instructions
# @include common-auth # commenting out is new...

Apart of changing the ChallengeResponseAuthentication property in /etc/ssh/sshd_config, one should also add AuthenticationMethods publickey,keyboard-interactive in the following line:

ChallengeResponseAuthentication yes # from the original instructions
AuthenticationMethods publickey,keyboard-interactive # this is new...

Of course, this is on top of the regular instructions of installing libpam-google-authenticator, changing the sshd and sshd_config (as mentioned above), restarting the ssh/sshd service, and setting up the google-authenticator for the account.

Finally, a few more points:

  1. Consider this carefully - from restarting the ssh/sshd account, no one can login without proper 2FA. So make sure anyone who should have ssh access - configured it properly.
  2. I'm contemplating whether this is the proper solution for us, as it requires setup the VMs (each VM separately), and manual setting up the authenticator per each account and each VM manually. Not sure how scalable is this alternative. I would appreciate your thoughts...
  3. Last but not least - the setup of libpam-google-authenticator may be simplified by using apt-get, no need for manually installing all dependencies and building it. Worked for me by running:

    sudo apt-get install libpam-google-authenticator

Good Luck!