Windows OS Hub / Linux / How to Enable Two-Factor Authentication (2FA) for SSH on Linux

June 8, 2023 Linux

How to Enable Two-Factor Authentication (2FA) for SSH on Linux

In this article, we will show you how to enable two-factor authentication (2FA) for SSH login on Linux using Google PAM (Pluggable Authentication Module) and Microsoft Authenticator mobile app. 2FA allows you to add an extra security layer when you authenticate on a Linux host over SSH. After enabling 2FA, you will have to enter a one-time digital password (TOTP) from your smartphone in addition to your username and password (or RSA key) to SSH into Linux.

Install the Microsoft Authenticator mobile app on your smartphone (it is available both in Google Store and App Store).

In this guide, I have selected Microsoft Authenticator since I am already using it for MFA authentication in Azure. If you want, you can use Google Authenticator instead.

Now you need to install and configure the Google PAM on your Linux host:

  1. Connect to your Linux host over SSH;
  2. Install the Google PAM Authenticator using your package manager:
    Debian/Ubuntu: sudo apt-get install libpam-google-authenticator
    RHEL/CentOS/Fedora: yum install google-authenticatorinstall libpam-google-authenticator package on linux
  3. Run the command: google-authenticator
  4. The tool will generate and display a QR code in the console: generate google-authenticator QR code in Linux console
  5. Run the Microsoft Authenticator app on your smartphone. Select Add account -> Personal account -> Scan a QR Code;
  6. Scan the QR code with the app. A new entry for your username and server will appear in the Authenticator app. You will use this item to get the one-time password to connect to your host; add Linux host to Microsoft authenticator
  7. Note that a secret key and emergency codes are shown in your Linux console;
    You will need these codes to connect to your host if you lose/break your smartphone. Keep them in a safe place!
  8. Then google-authenticator shows some other questions:
  9. Do you want authentication tokens to be time-based? Y -> Enter
  10. Do you want me to update your “/home/sysops/.google_authenticator” file? Y -> Enter
  11. Do you want to disallow multiple uses of the same authentication token? Y -> Enter
  12. By default, tokens are good for 30 seconds… Y -> Enter
    By default, the one-time token changes every 30 seconds. This is the best option for most cases. However, it is important that your Linux host and smartphone are time synchronized.
  13. Do you want to enable rate-limiting? Y -> Enter configure 2fa settings for ssh login to linux
    You can configure all settings at once: $ google-authenticator -t -f -d -w 3 -e 5 -r 3 -R 30
    -t – enables logon using one-time code
    -f – saves the configuration to ~/.google_authenticator
    -d – denies using previous codes
    -w 3 – allows using one previous and one subsequent token (if time is not synchronized)
    -e 5 – generates 5 emergency codes
    -r 3 -R 30 – allows using no more than 3 logins every 30 seconds
  14. Then add the following directive to /etc/pam.d/sshd:auth required pam_google_authenticator.so nullokauth required pam_google_authenticator.so nullok
    The nullok option allows a user who has not set up two-factor authentication to log on using a username and password. After 2FA configuration and testing, it is recommended to disable the option to require using two-factor authentication.
  15. Then edit /etc/ssh/sshd_config: sudo mcedit /etc/ssh/sshd_config
  16. Change the ChallengeResponseAuthentication value to Yes:
    ChallengeResponseAuthentication yes
  17. Save the changes in sshd_config and restart sshd: service ssh restart ChallengeResponseAuthentication

Then try to connect to your Linux host over SSH. You will be asked to enter a verification code before entering a password.

Open the Authenticator app on your smartphone and find the user of your Linux host. Enter a 6-character one-time password code that the Authenticator generated for you into the console.

one time password code in microsoft authenticator app

Note that the one-time password code is valid for a limited time (30 seconds by default). If you have entered the correct code, you will be prompted to enter your Linux user password.

Configure SSH to use two-factor authentication on Linux Ubuntu

If the logon is successful, the following line appears in the authentication log:

cat /var/log/auth.log

Jul 20 11:12:22 srvubun01 sshd(pam_google_authenticator)[6242]: Accepted google_authenticator for sysops

If the incorrect code is entered, the log shows errors:

Jul 20 11:14:20 srvubun01 sshd(pam_google_authenticator)[6436]: Invalid verification code for sysops
Jul 20 11:14:22 srvubun01 sshd[6436]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.10.15 user=sysops

If you want to use 2FA together with the SSH key authentication, add the following directives to /etc/ssh/sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

2 comments
2
Facebook Twitter Google + Pinterest

Related Reading

How to Increase Size of Disk Partition in...

October 5, 2023

How to Use Ansible to Manage Windows Machines

September 25, 2023

Fixing ‘The Network Path Was Not Found’ 0x80070035...

August 30, 2023

How to Install and Configure Ansible on Linux

August 27, 2023

Monitoring Domain Name Expiration Date with Zabbix

August 14, 2023

2 comments

Some One July 21, 2022 - 4:13 pm

Thank you so much for this awesome tutorial!

Reply
xyu August 24, 2022 - 6:16 am

Nice functionality! Much appreciated!

Reply

Leave a Comment