Secure SSH Server with Two Factor Authentication on Ubuntu 17.04

If you’ve managed a remote Linux server then you know that one of the most used method to connect to that system is via SSH. SSH provides a secure way to login to a server remotely and manage it. It’s probably the default method for majority of webmasters.

The default authentication method used by SSH protocol is to match the correct username and password of an account already created on the system before access can be granted. If you want to enable a better protection, you’ll probably want to enable 2 factor authentication.

When two factor (2FA) authentication is added to SSH, a user must type and confirm his/her username and password as well as a unique token sent to a mobile device the user owns. This provides even more protection.

This brief tutorial is going to show you how to make that happen with Ubuntu 17.04.

Step 1: Install Google Authentication package for Linux

Before you install Google Authentication package, make sure that OpenSSH Server is already installed. If not, run the commands below to install it.

sudo apt-get update
sudo apt-get install openssh-server

After that, continue below with installing Google Authentication package.
There are many providers and packages that enable 2 factor authentication for SSH Server. One of the most popular one is Google authentication package. To install it, run the commands below.

sudo apt-get update
sudo apt-get install libpam-google-authenticator

Google authentication can generate two types of tokens.. a time-based and one-time use token.

Time-based token changes randomly for a specific time, and an one time token is valid for a single authentication session.

Step 2: Setup Google Authentication

After installing the package, run the commands below to configure it.

sudo google-authenticator

After running the commands above, you’re prompted with the questions below.. please use the guide below to complete the setup

Do you want authentication tokens to be time-based (y/n) y

Your new secret key is: JMVQBI3PDCTN7OUDXJCQCM2RDU
Your verification code is 084171
Your emergency scratch codes are:
28300462
28531298
72425363
14265012
19680772

Do you want me to update your "/home/richard/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

 

By default, tokens are good for 30 seconds. In order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with
poor time synchronization, you can increase the window from its default
size of +-1min (window size of 3) to about +-4min (window size of
17 acceptable tokens).
Do you want to do so? (y/n) n

 

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

After answering the questions above, open SSH authentication file by running the commands below.

sudo nano /etc/pam.d/sshd

Then add the highlighted line below at the end of the file and save it.

# Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so

Next, open SSH default configuration file by running the commands below.

sudo nano /etc/ssh/sshd_config

Then change the highlighted line below to Yes and save the file.

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

Restart SSH server and you’re done.

sudo systemctl restart ssh

Now grab your mobile device and download Google Authenticator app from the play or app store. You’ll always use this to view the token needed to authenticate. The add a new connection.. providing a name and using the new secret key provided above.

Summary:

This post shows you how to hardened SSH security by adding 2 factor authentication. When 2 factor authentication is enable, users must type username and password as well as a security token provider by Google authentication app on their mobile devices.

This is a great way to enhance SSH security.

You may also like this post:

How to Install the Latest MySQL 5.7 on Ubuntu 17.04