How to Setup Two-Factor Authentication For SSH In Linux

[‘

n

By default, SSH already uses secure data communication between remote machines, but if you want to add some extra security layer to your SSH connections, you can add a Google Authenticator (two-factor authentication) module that allows you to enter a random one-time password (TOTP) verification code while connecting to SSH servers. You’ll have to enter the verification code from your smartphone or PC when you connect.

n

The Google Authenticator is an open-source module that includes implementations of one-time passcodes (TOTP) verification tokens developed by Google.

n

It supports several mobile platforms, as well as PAM (Pluggable Authentication Module). These one-time passcodes are generated using open standards created by the OATH Initiative for Open Authentication).

n

In this article, I will show you how to set up and configure SSH for two-factor authentication under RedHat-based and Debian-based Linux distributions such as Fedora, CentOS Stream, Rocky Linux, and AlmaLinux, Ubuntu, Debian, and Mint.

n

Installing Google Authenticator in Linux

n

Open the machine that you want to set up two-factor authentication and install the following PAM libraries along with development libraries that are needed for the PAM module to work correctly with the Google authenticator module.

n

On RedHat-based systems install the ‘pam-devel‘ package using the following yum command.

n

# yum install google-authenticator -yrn

n

On Debian-based systems install the ‘libpam0g-dev‘ package using the following apt command.

n

$ sudo apt install libpam-google-authenticator -yrn

n

Generate Google Authentication Tokens

n

Once you run the ‘google-authenticator‘ command, it will prompt you with a series of questions.

n

# google-authenticatorrn

n

Simply type “y” (yes) as the answer in most situations. If something goes wrong, you can type again the ‘google-authenticator‘ command to reset the settings.

n

    n

  • Do you want authentication tokens to be time-based (y/n) y
  • n

n

After this question, you will get your ‘secret key‘ and ‘emergency codes‘. Write down these details somewhere, we will need the ‘secret key‘ later on to set up the Google Authenticator app.

n

# google-authenticatorrnrnDo you want authentication tokens to be time-based (y/n) yrnWarning: pasting the following URL into your browser exposes the OTP secret to Google:rn  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[emailxa0protected]%3Fsecret%3DCYZF2YF7HFGX55ZEPQYLHOO5JM%26issuer%3DtecmintrnFailed to use libqrencode to show QR code visually for scanning.rnConsider typing the OTP secret into your app manually.rnYour new secret key is: CYZF2YF7HFGX55ZEPQYLHOMrnEnter code from app (-1 to skip): -1 Code confirmation skipped Your emergency scratch codes are: 83714291 53083200 80975623 57217008 77496339

n

Next, follow the setup wizard and in most cases type the answer as “y” (yes) as shown below.

n

Do you want me to update your "/root/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y

n

Generate Google Auth Tokens
Generate Google Auth Tokens

n

Configuring SSH to Use Google Authenticator in Linux

n

Open the PAM configuration file ‘/etc/pam.d/sshd‘ and add the following line to the bottom of the file.

n

auth required pam_google_authenticator.so nullokrnauth required pam_permit.sorn

n

Configure PAM for SSH
Configure PAM for SSH

n

Next, open the SSH configuration file ‘/etc/ssh/sshd_config‘ and scroll down to find the line that says.

n

ChallengeResponseAuthentication norn

n

Change it to “yes“. So, it becomes like this.

n

ChallengeResponseAuthentication yesrn

n

Configure SSH for Google Auth
Configure SSH for Google Auth

n

Finally, restart the SSH service to take new changes.

n

# systemctl restart sshdrnOrrn$ sudo systemctl restart sshdrn

n

Configuring Google Authenticator App

n

Launch the Google Authenticator app on your smartphone. Press + and choose “Enter a setup key“. If you don’t have this app, you can download and install the Google Authenticator app on your Android/iPhone/Blackberry devices.

n

Add your account ‘Name‘ and enter the ‘secret key‘ generated earlier.

n

SSH Secret Key
SSH Secret Key

n

It will generate a one-time password (verification code) that will constantly change every 30sec on your phone.

n

SSH Google Auth Code
SSH Google Auth Code

n

Now try to log in via SSH, you will be prompted with a Google Authenticator code (Verification code) and Password whenever you attempt to log in via SSH. You have only 30 seconds to enter this verification code, if you miss it will regenerate a new verification code.

n

login as: tecmintrnAccess deniedrnUsing keyboard-interactive authentication.rnVerification code:rnUsing keyboard-interactive authentication.rnPassword:rnLast login: Tue Apr 23 13:58:29 2022 from 172.16.25.125rn[[emailxa0protected] ~]#

n

If you don’t have a smartphone, you can also use a Firefox add-on called Authenticator to do two-factor authentication.

n

Important: The two-factor authentication works with password-based SSH login. If you are using any private/public key SSH session, it will ignore two-factor authentication and log you in directly.

n

‘]