This time on the show, we challenge you... to respond... then we'll authenticate ya! That's right, we're getting into Challenge Response Authentication. Plus, Two-Factor Authentication for SSH using the Google Authenticator and how not to lock yourself out of your own workstation. All that and more, this time on Hak5!

Download HD | Download MP4


Challenge Response Authentication

  • Used in the 80's and 90's for copy protection (Wolfenstein SoD example)
  • DRYAD Example
    • Used for Authentication or Encryption by US military
  • Keyboard Interactive is define in an Internet-draft to the IETF two Googlers in 2004 describe "Generic Message Exchange Authentication for SSH"

Example of Lame-Ass-Challenge-Response-Authentication

  • Client initiates connection to server

  • Server asks for password
  • Client tells server password
  • Server lets client connect, they become BFF
  • Eavesdropping hacker now knows password

One-way hash

  • Takes input, returns hash value

  • Finding input from hash value is "computationally infeasible"
  • Popular funcations include MD5, SHA

Example of proper Challenge-Response Authentication

  • Client initiates connection to server

  • Server "challenges" client by sending a random number
  • Client "responds" by using one-way hash to compute random number + password, sends result
  • Server uses same one-way hash to compute random number + password, verifies result
  • If result matches, client and server become BFF
  • Eavesdropping hacker now knows a random number and a the resulting hash from said random number + the password :-(

Weaknesses in CRA

  • If a challenge is used more than once, the hacker can simply replay the hash

  • Mitigated by using long random numbers

SSH 2-Factor Authentication via Google Authenticator

Ubuntu 10.04 setup based off webbynode guide.

# Install Google Authenticator PAM module
$ cd ~
$ wget
$ tar jxvf libpam-google-authenticator-1.0-source.tar.bz2
$ cd google-authenticator
$ sudo make install
# Edit /etc/ssh/sshd_config and change the ChallengeResponseAuthentication to yes
# Edit /etc/pam.d/sshd and add
# auth    required              
#*** Some guides recommend adding the above line to the /etc/pam.d/common-auth file.
#*** You'll wish you hadn't if you're testing this on your desktop with gnome/kde/etc ;-)
# Configure the user account
$ google-authenticator
# Follow the URL and scan the barcode from your phones google authenticator app
# Restart sshd:
$ /etc/init.d/ssh restart
# Login as normal and you'll be prompted for verification code in addition to password

Leave a Reply

Your email address will not be published. Required fields are marked *



  • I’ve set this up and it works great when I ssh with localhost. However, when I try and ssh in from another machine using putty, the connection drops before asking for the username. Has anyone else experienced this with putty?

  • I got this working with a bit of effort on a CentOS 6.2 OpenVZ VPS. Few quirks to deal with but worked it out easily enough.

    Great article.

  • ashara 3 years ago

    This is great and just what I was looking for so thank you very much for showing us the way to Google Authenticator loving. ^_^

  • Thanks Mark!! You just ROCKED my day