Google Authenticator is pretty great. It allows me as an administrator to set up and configure multi-factor authentication into my UNIX boxes without having to spend money on a tool like YubiKey or RSA tokens. It’s easy to set up on any type of phone—no specialized hardware or dongles needed. It’s also pretty cool in that you don’t have to have network access from the server to the outside world. Since Google Authenticator is time-based, it doesn’t need to send an SMS or do a callout to a centralized server to get the current valid token.
What is a bit painful, though, is needing to have a different Google Authenticator token for every one of my servers. The standard setup would have you run the google-authenticator command on each and have as many tokens as you have servers. Obviously, this quickly becomes unwieldy and untenable.
Instead, I want to have one token for multiple servers. Here’s how I installed and configured Google Authenticator on each system.
First Machine
On my first machine I’m going to install Google Authenticator and create a secret key—the exact flow I’d use normally.
1: Install Google Authenticator. This is pretty well-documented; examples can be seen at untrusted connection and How-To Geek. I won’t walk through each step since this part varies from OS to OS; the rest of the steps are identical, however.
2: Restart the ssh service
$ sudo restart ssh
3: Run the google-authenticator command to generate a secret key for your account, which you’ll store in your phone. This information will be stored in a configuration file that we’re going to get into later. I don’t need to comment that you actually have to enter the secret key into your phone, do I?
4: Give it a spin. From another shell go ahead and try it out.
5: Let’s take a look at the configuration file. We’re going to copy these contents to our other machines that we want to have the same secret key.
Installing Google Authenticator on Additional Machines
For all other machines I’m going to install Google Authenticator as normal, but I’m going to use the secret key from the first machine. This will let me log in to each of them using that same secret key that I stored from the first machine.
1: Install Google Authenticator. Again, other places describe this in detail. We’re going to install the program but not do the creation of any secret keys
2: Create the configuration file and add the content that we got from the other machine.
3: Set permissions for the configuration file.
4: Restart the ssh service.
5: Test the login.
Voila! A shared secret key across my servers! Happy day.