Even though two factor authentications can refer to a multitude of techniques such as biometrics or smart cards, the most frequent method used in web applications is the one-time password.
Google Authenticator app is one of the most popular solutions used for such purposes and it can be applied to Linux, too. Lets see how to secure SSH logins with the help of Google Authenticator.
First of all, make sure you have root or sudo privileges on the device you are planning to secure your SSH via 2FA using Google Authenticator.
Update Ubuntus repository cache via
sudo apt-get update
Afterwards, run the following command to install the needed dependency package for Ubuntu via
sudo apt-get install libpam-google-authenticator
This will install the PAM module on your device, along with libqrencode3, which enables you to use the camera on your device in order to scan the qr-code.
PAM allows you to generate TOTP keys for every user who will have access to 2FA. Every key will be created on a user-by-user basis, and not a system-wide basis. Therefore, each user will have to long in and run the app in order to receive a key.
The initialization app can be started via
google-authenticator command, which will receive as a response
Do you want authentication tokens to be time-based (y/n)
yes to this query, a couple of other security questions will appear such as
Do you want me to update your "~/.google_authenticator" file (y/n).
For the best security practices for SSH logins, it is best to answer
yes to the following query
Do you want to disallow multiple uses of the same authentication token?
This restricts you to one login about every 30s, but it increases your chances
to notice or even prevent man-in-the-middle attacks (y/n)```
This step is essential for creating the best Linux 2FA SSH login, as it will let the user only 30 seconds for typing the login code, and, as a consequence, will make it impossible for a hacker to achieve the authentication code.
Another great security measure that will make even more secure the SSH login is the
If the computer that you are logging into isnt hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n)
This means that in the event of a malicious intent approach on your device, the hacker will have a limited login attempt, after which its access will be blocked.
Open a SSH session and test the settings. In the PAM file
sudo vi /etc/pam.d/sshd, enter the line
auth required pam_google_authenticator.so.
Save the changes, close the file, and move forward to configuring SSH and enabling the authentication method with the command
sudo vi /etc/ssh/sshd_config.
Switch the value for ChallengeResponseAuthentication line to
yes, and restart the SSH server for the changes to take effect.
On your mobile device, install the Google Authenticator app, and set your account. Go to the
Enter provided key menu, and enter the secret key, select the
Time based feature
and tapAdd`. From this point on, it will create a one-time verification code that will change each 30 seconds.
After completing all the steps above, it is best to attempt login SSH via your computer. In this way you will make sure there are no errors in your authentication process.