If you’ve managed a remote Linux server then you know that one of the most used method to connect to that system is via SSH. SSH provides a secure way to login to a server remotely and manage it. It’s probably the default method for majority of webmasters.
The default authentication method used by SSH protocol is to match the correct username and password of an account already created on the system before access can be granted. If you want to enable a better protection, you’ll probably want to enable 2 factor authentication.
When two factor (2FA) authentication is added to SSH, a user must type and confirm his/her username and password as well as a unique token sent to a mobile device the user owns. This provides even more protection.
This brief tutorial is going to show you how to make that happen with Ubuntu 17.04.
Step 1: Install Google Authentication package for Linux
Before you install Google Authentication package, make sure that OpenSSH Server is already installed. If not, run the commands below to install it.
sudo apt-get update sudo apt-get install openssh-server
After that, continue below with installing Google Authentication package.
There are many providers and packages that enable 2 factor authentication for SSH Server. One of the most popular one is Google authentication package. To install it, run the commands below.
sudo apt-get update sudo apt-get install libpam-google-authenticator
Google authentication can generate two types of tokens.. a time-based and one-time use token.
Time-based token changes randomly for a specific time, and an one time token is valid for a single authentication session.
Step 2: Setup Google Authentication
After installing the package, run the commands below to configure it.
After running the commands above, you’re prompted with the questions below.. please use the guide below to complete the setup
Do you want authentication tokens to be time-based (y/n) y Your new secret key is: JMVQBI3PDCTN7OUDXJCQCM2RDU Your verification code is 084171 Your emergency scratch codes are: 28300462 28531298 72425363 14265012 19680772 Do you want me to update your "/home/richard/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens). Do you want to do so? (y/n) n
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
After answering the questions above, open SSH authentication file by running the commands below.
sudo nano /etc/pam.d/sshd
Then add the highlighted line below at the end of the file and save it.
# Standard Un*x password updating. @include common-password auth required pam_google_authenticator.so
Next, open SSH default configuration file by running the commands below.
sudo nano /etc/ssh/sshd_config
Then change the highlighted line below to Yes and save the file.
# Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes
Restart SSH server and you’re done.
sudo systemctl restart ssh
Now grab your mobile device and download Google Authenticator app from the play or app store. You’ll always use this to view the token needed to authenticate. The add a new connection.. providing a name and using the new secret key provided above.
This post shows you how to hardened SSH security by adding 2 factor authentication. When 2 factor authentication is enable, users must type username and password as well as a security token provider by Google authentication app on their mobile devices.
This is a great way to enhance SSH security.
You may also like this post: