How to Enable Two-Factor Authentication (2FA) for SSH on Linux? , Ranjan.info

8 months ago
by Ranjan Chatterjee

In this article, we will show you how to enable Two-Factor Authentication (2FA) for SSH login on Linux google palm (pluggable authentication module) and Microsoft Authenticator mobile application. 2FA allows you to add an additional security layer when you authenticate on a Linux host over SSH. After enabling 2FA, you’ll need to enter a one-time digital password (TOTP) in addition to your username and password (or RSA key) to SSH into Linux from your smartphone.

establish Microsoft Authenticator Mobile app on your smartphone (available in both the Google Store and the App Store).

In this guide, I have selected Microsoft Authenticator as I am already using it for MFA authentication in Azure. If you want, you can use Google Authenticator instead.

Now you need to install and configure Google PAM on your Linux host:

  1. Connect to your Linux host over SSH;
  2. Install Google PAM Authenticator using your package manager:
    Debian / Ubuntu: sudo apt-get install libpam-google-authenticator
    RHEL/CentOS/Fedora: yum install google-authenticatorinstall libpam-google-authenticator package on linux
  3. run command: google-authenticator
  4. The tool will generate and display a QR code in the console: Generate google-authenticator QR code in Linux console
  5. Run the Microsoft Authenticator app on your smartphone. Select Add Account -> Personal Account -> Scan a QR Code;
  6. Scan the QR code from the app. A new entry for your username and server will appear in the Authenticator app. You will use this item to obtain a one-time password to connect to your host; Add Linux Host to Microsoft Authenticator
  7. Note that a secret key and emergency codes are shown in your Linux console;

    If you lose/break your smartphone you will need these codes to connect to your host. Keep them in a safe place!

  8. Then google-authenticator shows some other questions:
  9. Do you want authentication tokens to be time-based? Y -> Enter
  10. Would you like me to update your “/home/sysops/.google_authenticator” file? Y -> Enter
  11. Do you want to disallow multiple uses of the same authentication token? Y -> Enter
  12. By default, tokens are good for 30 seconds… Y -> Enter

    By default, the one-time token changes every 30 seconds. This is the best option for most cases. However, it is important that your Linux host and smartphone keep pace with the times.

  13. Do you want to enable rate-limiting? Y -> Enter Configure 2fa settings for ssh login in Linux

    You can configure all the settings at once: $ google-authenticator -t -f -d -w 3 -e 5 -r 3 -R 30
    -Tea – Enables logon using a one-time code
    -F – Put the configuration in ~/.google_authenticator . saves in
    -D – refuse to use the previous code
    -w 3 – Allows to use a previous and a later token (if the time is not synchronized)
    -e5 – Generates 5 emergency codes
    -R3-R30 – does not allow more than 3 logins to be used every 30 seconds

  14. Then add the following command to /etc/pam.d/sshd :auth required pam_google_authenticator.so nullokAuthentication required pam_google_authenticator.so nullok

    Zero The option allows a user who has not set up two-factor authentication to log on using a username and password. After 2FA configuration and testing, it is recommended to disable the option to require using two-factor authentication.

  15. Then edit /etc/ssh/sshd_config: sudo mcedit /etc/ssh/sshd_config
  16. shift ChallengeResponseAuthentication price to Yes, 
    ChallengeResponseAuthentication yes
  17. Save changes to sshd_config and restart sshd: service ssh restart challenge response authentication

Then try to connect to your Linux host over SSH. You will be asked to enter a verification code before entering the password.

Open the Authenticator app on your smartphone and search for the user of your Linux host. Enter a 6-character one-time password code that Authenticator has generated for you in the console.

One Time Password Code in Microsoft Authenticator App

Note that the one-time password code is valid for a limited time (30 seconds by default). If you entered the correct code, you will be asked to enter your Linux user password.

Configure SSH to Use Two-Factor Authentication on Linux Ubuntu

If the logon is successful, the following line appears in the authentication log:

cat /var/log/auth.log

Jul 20 11:12:22 srvubun01 sshd(pam_google_authenticator)[6242]: Accepted google_authenticator for sysops

If the wrong code is entered, the log shows errors:

Jul 20 11:14:20 srvubun01 sshd(pam_google_authenticator)[6436]: Invalid verification code for sysops
Jul 20 11:14:22 srvubun01 sshd[6436]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.10.15 user=sysops

If you want to use 2FA with SSH key authentication, add the following instructions to /etc/ssh/sshd_config :

PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

You may also like

Leave a Comment