Enable two-factor authentication (2FA) for SSH on Linux

Δείτε πως μπορείτε να ενεργοποιήσετε τον έλεγχο ταυτότητας δύο παραγόντων (2FA) για σύνδεση SSH σε ένα μηχάνημα με linux, χρησιμοποιώντας το Google PAM (Pluggable Authentication Module) και την εφαρμογή Microsoft Authenticator ή τον Επαληθευτή Google για κινητά.

linux, ssh, password, authentication, 2FA

2FA allows you to add an extra layer of security when authenticating to a Linux host via SSH. After enabling 2FA, you'll need to enter a one-time digital password (TOTP) from your smartphone in addition to your Linux SSH username and password.
Let's go see the steps:

Step 1: Install the Microsoft Authenticator app on your mobile phone. It is available on both the Google Store and the App Store. If you want, you can use Google Authenticator. In our example we will use Microsoft Authenticator, but the steps are about the same for Google.

Step 2: Open your Linux computer, and run an SSH window. Install Google PAM Authenticator using your package manager:
Debian/Ubuntu: sudo apt-get install libpam-google-authenticator
RHEL/CentOS/Fedora:yum install google-authenticator

ssh google authenticator 1

Step 3: Run the command on ssh: google-authenticator
The tool will generate and display a QR code on the console

ssh google authenticator 2

Step 4: Run the Microsoft Authenticator app on your smartphone. Select Add account > Personal account > Scan a QR Code. Or if you have Google Authenticator tap + then Scan QR Code.

Step 5: Scan the QR code with the app. A new entry for your username and computer will appear in the Authenticator app. You will use this item to get one-time passwords to log into your computer.

Note that a secret key and emergency codes appear in your linux console. You will need these codes to connect to your host if you lose/break your smartphone. Keep them in a safe place!

Step 6: Then google-authenticator on the linux computer shows some more questions:

  • Do you want authentication tokens to be time-based? (Do you want authentication tokens to be time-based?) Y -> Enter  (this question can also be encountered before the QR code is displayed)
  • Do you want me to update your “/home/sysops/.google_authenticator” file? (Do you want me to update your “/home/sysops/.google_authenticator” file?) Y -> Enter
  • Do you want to disallow multiple uses of the same authentication token? (Do you want to disallow multiple uses of the same authentication token?) Y -> Enter
  • By default, tokens are good for 30 seconds… Y -> Enter
    By default, the one-time token changes every 30 seconds. This is the best option for most cases. However, it is important that your linux host and smartphone are time-synchronized.
  • Do you want to enable rate-limiting? (Do you want to enable price restriction?) Y -> Enter
    You can configure all settings at once: $ google-authenticator -t -f -d -w 3 -e 5 -r 3 -R 30
    -t – enables login using a one-time password
    -f – stores configuration in ~/.google_authenticator
    -d – denies the use of previous codes
    -in 3 – allows the use of a previous and a next token (if time is not synchronized)
    -e 5 – generates 5 emergency codes
    -r 3 -R 30 – allows no more than 3 connections to be used every 30 seconds

Step 7: Then add the following directive to /etc/pam.d/sshd: auth required pam_google_authenticator.so nullok

The choice nullok allows a user who has not set up two-factor authentication to log in using a username and password. After configuration and the 2FA test, it is recommended that you disable the option to require the use of two-factor authentication.

Step 8: Then edit /etc/ssh/sshd_config: sudo mcedit /etc/ssh/sshd_config (or with any other editor you have)
Change the ChallengeResponseAuthentication value to Yes


Save the changes to sshd_config and restart sshd with the command: service ssh restart

Step 9: Then try to connect to your linux computer via SSH. You will be asked to enter a verification code before entering a password.

Step 10: Open the Authenticator app on your smartphone and find the Linux PC user. Enter the 6-character one-time password that the Verifier generated for you in the console.

Note that the one-time password is valid for a limited time (30 seconds by default). If you have entered the correct password, you will be prompted to enter your linux user password as well.

If the connection is successful, the following line appears in the authentication log: cat /var/log/auth.log
Accepted google_authenticator for sysops

If an incorrect code is entered, the log shows errors:
Invalid verification code for sysops

If you want to use 2FA along with SSH key authentication, add the following directives to /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

iGuRu.gr The Best Technology Site in Greece
Follow us on Google News

linux, ssh, password, authentication, 2FA

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).