This brief tutorial shows students and new users how to setup two-factor or multi-factor authentication for SSH on Ubuntu 20.04 | 18.04 using Google Authenticator.
If you’re accessing your server via SSH remotely and you want to add another layer of security to make sure it’s unauthorized user agents and threat actors can’t login, then adding two-factor authentication is a great move.
Two-factor authentication enables users to provide certain details such as random code, or OTP ( One Time Password ) to add another layer of security to standard username and password.
We previously showed you how to set up two factor authentication with Ubuntu using Google Authenticator.
To read this post, click here.
To get started with setting up two-factor authentication for SSH on Ubuntu using Google authenticator, follow the steps below:
Install Google Authenticator
Before you can configure SSH server to enable two-factor or multi-factor access, you must first install Google Authentication.
Since we’ve already showed you how to install Google Authenticator Ubuntu and set up on your mobile device, please reference the post below so we don’t write it again.
After setting up the steps above, continue below.
Configure Two-factor SSH
Now that you have installed Google Authenticator on Ubuntu and your mobile device, continue below configure SSH server to use it.
To setup SSH run the commands below to open its default configuration file on Ubuntu.
sudo nano /etc/ssh/sshd_config
Next, make the highlighted changes in the file to make this to work.
# Authentication: #LoginGraceTime 2m PermitRootLogin yes #StrictModes yes MaxAuthTries 3 #MaxSessions 10 # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes
Save and exit.
Next, run the commands below to open the PAM SSH configuration file in Ubuntu.
sudo nano /etc/pam.d/sshd
Then append the highlighted changes below and save.
# PAM configuration for the Secure Shell service # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so auth required pam_google_authenticator.so
Save the file and exit.
After making the changes above, restart SSH servr.
sudo systemctl restart sshd
Now go and test out. You should be prompted for a one time code everytime you attempt to sign in.
If you setup SSH public key authentication, then you’ll want to add this line in the main SSH configuration file at /etc/ssh/sshd_config file.
Then make sure this is included in the PAM SSH rule file at /etc/pam.d/sshd file.
auth required pam_google_authenticator.so
Exit both files and save your changes then restart SSH.
sudo systemctl restart sshd
That should do it!
This post showed you how to configure SSH to accept two-factor authentication using Google Authenticator.
If you find any error above, please use the form below to report.
You may also like the post below: