Hello everyone. Today I’ll show you how to implement 2 factor authentication for SSH on Ubuntu 16.04 server using the Google Authenticator app. We will use ssh key (1st factor) and a randomly generate code (2nd factor) by Google Authenticator to login to our Ubuntu server. I use Amazon EC2 cloud instance for this activity for server side, but the process is similar in a non cloud environment.
Assume that you have already configured the ssh key based login for your user, If not then you can find it here. Install the Google Authenticator app on your mobile device from google play store or from the app store.
Installing Google Authenticator
Installing the google authenticator on the server is very easy. login to the server with a non-privilege account using ssh key and enter the below command. It’s a good practice to update the Ubuntu repository cache before installing any package.
imtiaz@ip-172-31-21-211:~$ sudo apt-get update
imtiaz@ip-172-31-21-211:~$ sudo apt-get install libpam-google-authenticator
This will install the Google Authenticator on your server.
Configure Google Authenticator
After installation its time to configure the authenticator. Type the below command in the terminal which will run the authenticator and configure it.
After that it will ask you a couple of questions. Read these carefully and answer according to your requirements.
The autheticator allows two types of token, time-based or sequential-based tokens. Time-based token mean that the code will change after a certain period of time and will generate a new one and sequential-based mean the code start with a certain point and increment that after every use. We choose a time-based token here.
Do you want authentication tokens to be time-based (y/n) y
After pressing y (yes) you will see a QR code with some information. By this time you should install the Google Authenticator in your mobile device.
Open the authenticator from your mobile device and try to scan the QR code. If you can’t scan the code, then you will find a smaller version of the QR code in the mention url at the top of the screen. After scanning the QR code you will see the authenticator is generating code for your server. Back to the server and press y.
Do you want me to update your "/home/imtiaz/.google_authenticator" file (y/n) y
it will write the key and other information in .google_authenticator file. Make a copy of that hidden file or you can simply write down the secret key, verification code, emergency scratch code and store it in a secure location. It will help you to login to the server if you lost your mobile device. By pressing no will quit the program.
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By pressing y will disallow the multiple uses of the same authentication token. The token will expire immediately after use.
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
We press n here and leave it at the default 1:30 min window.
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
Choosing y will enable rate-limit which will block an attacker after 3 unsuccessful attempts within 30 seconds of time, which will eventually prevent a brute-force attack. I choose y in this case.
That’s all for the google authenticator in the server side.
Now we have to configure sshd file in /etc/pam.d/ directory. Open the file with your favorite editor and add the following line to the end of the file.
auth required pam_google_authenticator.so nullok
You can safely delete the “nullok” word after all your users have their TOTP (Time based one time password) key. Save and exit from the file.
Now we will configure sshd_config file locate at /etc/ssh/ directory. Open the file with your favorite editor. Search for “ChallengeResponseAuthentication” and set its value to “yes”.
imtiaz@ip-172-31-21-211:~$ sudo vim /etc/ssh/sshd_config
Next locate for “PasswordAuthentication”, uncomment the line and set its value to “no”.
Then add the following line at the end of the file. This informs ssh which authentication methods are required.
Save and close the file. Next open the sshd file located at /etc/pam.d/ directory.
imtiaz@ip-172-31-21-211:~$ sudo vim /etc/pam.d/sshd
Search for the word “@include common-auth” and place a “#” sign in front of that word.
Save and close the file. Restart the ssh service.
imtiaz@ip-172-31-21-211:~$ sudo service ssh restart
Now lets test our activity. try to login to the server with the ssh key and provide the key password (if you have any) and press enter.
login as: imtiaz
Authenticating with public key "imported-openssh-key"
Passphrase for key "imported-openssh-key":
After pressing enter you will see the bellow message which is asking for another verification code.
Further authentication required
Using keyboard-interactive authentication.
Open Google Authenticator from your mobile device. you will see a six digits code, beside that code there is an animated timer running. After 30 second the code will change and a new one will be displayed on the screen. Provide the current code in the server as a verification code. Type the code correctly and you should be login to the server.
To implement the 2 steps verification or multi factor authentication in this way for ssh is totally free but the level of security is very high. That’s all for today.
If you enjoyed the post, please share it with your network and let me know your thoughts in the comments.
About the Author: Imtiaz is working in a financial organization in Bangladesh and having experience in system, network and security administration. Feel free to contact with him on LinkedIn or Twitter.