Configuring two factor authentication on SSH is actually quite straightforward. Using Google Authenticator we can get setup and running in about 8 minutes. If we were to use another method such as a hardware based token we would have to wait for delivery of the token (for example YubiKey) - that would take way longer. 🙂
First the Basics
Two factor authentication means there are two different methods used to authenticate access to a service by a user. The first method is something that everyone is familiar with, that being a password or passphrase. A second factor is a computationally generated code that can be sent to your phone via SMS, Phone APP or read off a hardware token. Many will be familiar with these for access to banking or online services such as Google.
Configuring SSH for 2FA on Ubuntu
These steps for configuring ssh and
2FA will no doubt be similar for any Linux distribution, our focus for now is on Ubuntu and locking down our SSH service.
- Ubuntu 18.04
- Phone with Google Authenticator (iPhone or Android)
- SSH server with sudo access **
** You need to be the administrator of the SSH server otherwise the actual administrator will get cross when they get locked out.
1. Install Ubuntu Packages
The required package is in the Ubuntu repositories so installation is a simple
sudo apt install libpam-google-authenticator
2. Configure SSH Server
First we will edit
/etc/pam.d/sshd adding the following line:
auth required pam_google_authenticator.so
Now change the following line in
yes to enable use of the Authenticator we added to the
# Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes
Restart SSH service
sudo service sshd restart
3. Configure Google Authenticator on Ubuntu
With our installed package we now have a binary that allows us to configure the Google Authenticator.
Read the options presented and decide which you wish to use. Selecting time based authentication tokens is a good option and the simplest.
Do you want authentication tokens to be time-based (y/n) y Warning: pasting the following URL into your browser exposes the OTP secret to Google: https://www.google.com/chart?chs=<
> << ------ Here right in your Terminal is a Large QR Code ---------- >> << ------ Also here is your secret key and backup codes ------ >> Do you want me to update your "/home/user/.google_authenticator" file? (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y
Write down the backup codes on a piece of paper. Put them somewhere safe, these will allow you to login to your
ssh server if you don't have your phone.
Add key to the Google Authenticator App
On your phone launch the Google Authenticator App and hit the big red plus button. This is to add a new service to the Authenticator. Use the option to scan the QR code. It is as easy as that. You will now have access to your
ssh service with an added authentication factor - that being the code on your Google App.
Test your access still works
Try to login to your
ssh server. You should now be prompted for the code as well as the usual password. If you are using keys to access the
ssh you will still have access using the key. The 2FA code has been configured to only apply to the password based authentication.