Edit

VPS: Setting up two-factor authentication for Linux servers

๐Ÿ’พ Install Google Authenticator

First you need to install the Google Authenticator on your Linux vServer/Rootserver. Execute the following command:

sudo apt install libpam-google-authenticator

You will then be prompted to type "Y" to install the package, type this, press Enter and then the Google Authenticator will be installed!

โŒจ Run Google Authenticator

Start the Google Authenticator by typing 'google-authenticator'. Make sure that your window size is sufficient for the QR Code, otherwise press "CTRL+C" and enter it again.

You will now be prompted again if you want to execute it, type "Y" to accept.

You will now get a QR Code. Open your Authenticator app on your smartphone and scan the QR Code.For this example we use the Google Authenticator:

image

Make sure to copy the backup codes, these can each be used once in case you lose your authenticator.

Now the app already shows you the codes you need to log in later. In this case it looks like this:

The following questions are now prompted:

  1. Do you want to save the Google Authenticator configuration?
  2. Do you want only one login every 30 seconds?
  3. Should the time in which a code is usable be increased?
  4. Should only three logins be possible every 30 seconds? (Protection against Brute Force)

For security reasons we recommend to confirm all with Yes.

๐Ÿ’ฝ Configure Google Authenticator

Now we have to adjust the Google Authenticator so that it is also used. This requires two adjustments.

/etc/ssh/sshd_config

Activate the required modules in the /etc/ssh/sshd_config'. Open the/etc/ssh/sshd_config' file by typing

sudo nano /etc/ssh/sshd_config

You are now in a text editor. You can move around with the arrow keys, freely delete text and enter and then press 'CTRL + X' then 'Y' and lastly 'Enter' to save the file.

Make sure that the two lines 'UsePAM' and 'ChallengeResponseAuthentication' are set to 'yes'. Like this:

Save the file with 'CTRL + X' then 'Y' and lastly 'Enter`. Restart SSH afterwards with the following command:

sudo systemctl restart ssh

/etc/pam.d/sshd

Now we add the Google Authenticator to the login in the /etc/pam.d/sshd.Open the /etc/pam.d/sshd file by typing sudo nano /etc/pam.d/sshd.

The last step is to scroll down to the end of the file and enter 'auth required pam_google_authenticator.so'.

Save the file with 'CTRL + X' then 'Y' and lastly 'Enter`

๐Ÿ’ป Log in with 2FA

Now it is time to log in for the first time with 2FA. After you have followed the steps above, all you need to do is restart your SSH connection.

image

You now enter your password as normal. You will be asked for a code, simply enter the recent 2FA code.

Now you are logged in!

โ† SSH KeyChange Password โ†’