SSH two-factor authentication
Introduction
Google's SSH two-factor authentication (2FA) service, known as Google Authenticator SSH, enhances the security of SSH (Secure Shell) access by adding a second layer of authentication. While SSH already provides a secure method to establish an encrypted connection to a remote server, the integration of 2FA increases the level of security by requiring users to enter not only their password, but also a one-time verification code generated by Google Authenticator. In this guide, we will explore the process of installing and configuring the Google Authenticator SSH service on a Linux server.
Installation
First you need to install the Google Authenticator on your Linux VPS/Root server. Execute the following command:
sudo apt install libpam-google-authenticator
You will then be prompted to type "Y" to install the package, type this, press Enter and then the Google Authenticator will be installed!
Start the Google Authenticator by typing 'google-authenticator'. Make sure that your window size is sufficient for the QR Code, otherwise press "CTRL+C" and enter it again.
You will now be prompted again if you want to execute it, type "Y" to accept. You will now get a QR Code. Open your Authenticator app on your smartphone and scan the QR Code.For this example we use the Google Authenticator:
Make sure to copy the backup codes, these can each be used once in case you lose your authenticator.
Now the app already shows you the codes you need to log in later. In this case it looks like this:
The following questions are now prompted:
- Do you want to save the Google Authenticator configuration?
- Do you want only one login every 30 seconds?
- Should the time in which a code is usable be increased?
- Should only three logins be possible every 30 seconds? (Protection against Brute Force)
For security reasons we recommend to confirm all with Yes.
Configuration
Now we have to adjust the Google Authenticator so that it is also used. This requires two adjustments.
/etc/ssh/sshd_config
Activate the required modules in the /etc/ssh/sshd_config'. Open the /etc/ssh/sshd_config' file by typing
sudo nano /etc/ssh/sshd_config
You are now in a text editor. You can move around with the arrow keys, freely delete text and enter and then press 'CTRL + X' then 'Y' and lastly 'Enter' to save the file.
Make sure that the two lines 'UsePAM' and 'ChallengeResponseAuthentication' are set to 'yes'. Like this:
Save the file with 'CTRL + X' then 'Y' and lastly 'Enter`. Restart SSH afterwards with the following command:
sudo systemctl restart ssh
/etc/pam.d/sshd
Now we add the Google Authenticator to the login in the /etc/pam.d/sshd.Open the /etc/pam.d/sshd file by typing sudo nano /etc/pam.d/sshd. The last step is to scroll down to the end of the file and enter 'auth required pam_google_authenticator.so'.
Save the file with 'CTRL + X' then 'Y' and lastly 'Enter`
Testing access
Now it is time to log in for the first time with 2FA. After you have followed the steps above, all you need to do is restart your SSH connection.
You now enter your password as normal. You will be asked for a code, simply enter the recent 2FA code.
Now you are logged in!