• Subscribe to the low volume list for updates.

Two factor (2FA) SSH with Google Authenticator

Configuring two factor authentication on SSH is actually quite straightforward. Using Google Authenticator we can get setup and running in about 8 minutes. If we were to use another method such as a hardware based token we would have to wait for delivery of the token (for example YubiKey) - that would take way longer. 🙂

First the Basics

Two factor authentication means there are two different methods used to authenticate access to a service by a user. The first method is something that everyone is familiar with, that being a password or passphrase. A second factor is a computationally generated code that can be sent to your phone via SMS, Phone APP or read off a hardware token. Many will be familiar with these for access to banking or online services such as Google.

Tip: If you don't use two factor on your Google Account and Banking, go and sort it now. In fact if you are using SMS as a 2FA on your Google Account, think about changing it to use the Google Authenticator App. Recent breaches have highlighted the weakness in SMS based 2FA.

Configuring SSH for 2FA on Ubuntu

These steps for configuring ssh and 2FA will no doubt be similar for any Linux distribution, our focus for now is on Ubuntu and locking down our SSH service.

Requirements

  • Ubuntu 18.04
  • Phone with Google Authenticator (iPhone or Android)
  • SSH server with sudo access **

** You need to be the administrator of the SSH server otherwise the actual administrator will get cross when they get locked out.

Warning: Ensure you have a pretty good grasp of what we are doing here. If you are not familiar with editing config files and running services on Linux take care. If you mess up the configuration you may lock yourself out of your SSH access. It is probably a good idea to ensure you have console access to your system.

1. Install Ubuntu Packages

The required package is in the Ubuntu repositories so installation is a simple apt install.

sudo apt install libpam-google-authenticator

2. Configure SSH Server

First we will edit /etc/pam.d/sshd adding the following line:

auth required pam_google_authenticator.so

Now change the following line in /etc/ssh/sshd_config to yes to enable use of the Authenticator we added to the pam configuration.

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

Restart SSH service

sudo service sshd restart

3. Configure Google Authenticator on Ubuntu

With our installed package we now have a binary that allows us to configure the Google Authenticator.

google-authenticator

Read the options presented and decide which you wish to use. Selecting time based authentication tokens is a good option and the simplest.

Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=<>

<< ------ Here right in your Terminal is a Large QR Code ---------- >>

<< ------ Also here is your secret key and backup codes ------ >>

Do you want me to update your "/home/user/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server.
Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. 
Do you want to enable rate-limiting? (y/n) y

Write down the backup codes on a piece of paper. Put them somewhere safe, these will allow you to login to your ssh server if you don't have your phone.

Add key to the Google Authenticator App

On your phone launch the Google Authenticator App and hit the big red plus button. This is to add a new service to the Authenticator. Use the option to scan the QR code. It is as easy as that. You will now have access to your ssh service with an added authentication factor - that being the code on your Google App.

Test your access still works

Try to login to your ssh server. You should now be prompted for the code as well as the usual password. If you are using keys to access the ssh you will still have access using the key. The 2FA code has been configured to only apply to the password based authentication.

Know Your Attack Surface
We Host the Tools to Save You Time