{"id":1951,"date":"2019-01-08T08:30:42","date_gmt":"2019-01-08T05:30:42","guid":{"rendered":"http:\/\/kifarunix.com\/?p=1951"},"modified":"2019-01-08T10:30:14","modified_gmt":"2019-01-08T07:30:14","slug":"enable-ssh-2-factor-authentication-on-ubuntu-18-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/enable-ssh-2-factor-authentication-on-ubuntu-18-04\/","title":{"rendered":"Enable SSH 2-Factor Authentication on Ubuntu 18.04"},"content":{"rendered":"

Welcome to our guide on how to enable SSH 2-Factor authentication on Ubuntu 18.04 system.<\/p>\n

\"enable<\/a><\/p>\n

Under normal circumstances, we usually login to a remote system with SSH using either a normal username and password combination or a public key. In order to add another layer of security such that you need to verify who you tell the system you are, you need to configure two-factor authentication<\/span><\/code> (2FA), a subset of multi-factor authentication. In this guide, we are going to use Google Authenticator on Ubuntu 18.04 to enable the 2FA. Without much theory, let’s get to it.<\/p>\n

Enable SSH 2-Factor Authentication on Ubuntu 18.04<\/h2>\n

To enable SSH 2FA on Ubuntu 18.04 system, proceed as follows;<\/p>\n

Install Google Authenticator PAM<\/h3>\n

Google Authenticator is a Pluggable Authentication Module for Linux systems that generates Time-based One-Time Password (TOTP) used for authentication. This module is available on the default Ubuntu repositories and can be simply installed by running the command below;<\/p>\n

apt install libpam-google-authenticator<\/code><\/pre>\n
Generate the TOTP for users<\/h3>\n
To enable 2FA for a user, you need generate the TOTP for each one of them that you need to enable 2FA for by running the command;<\/p>\n
google-authenticator<\/code><\/pre>\n
The google-authenticator<\/code> command will prompt for some information required to enable 2FA for a user.<\/p>\n
The first prompt will ask you to choose whether to generate time-based authentication tokens. There are two types of authentication tokens for Google authenticator PAM; sequential-based tokens<\/code> and time-based tokens<\/code>. While sequential-based tokens provides a code that increments from a specific after every use, time-based tokens will keep changing randomly every time. Hence, type y and press Enter to generate time-based tokens.<\/p>\n
Do you want authentication tokens to be time-based (y\/n) y<\/code><\/pre>\n
This generates a large QR code along with the secret key, the verification code and emergency recovery codes.<\/p>\n
Proceed to configure Google Authenticator by updating the configuration file, .google_authenticator<\/code>.<\/p>\n
Do you want me to update your \"\/home\/amos\/.google_authenticator\" file? (y\/n) y<\/code><\/pre>\n
Disable multiple uses of the same authentication token to prevent MITMA<\/p>\n
Do you want to disallow multiple uses of the same authentication\r\ntoken? This restricts you to one login about every 30s, but it increases\r\nyour chances to notice or even prevent man-in-the-middle attacks (y\/n) y<\/code><\/pre>\n
Set the token to expire immediately after use to prevent replay attacks.<\/p>\n
By default, a new token is generated every 30 seconds by the mobile app.\r\nIn order to compensate for possible time-skew between the client and the server,\r\nwe allow an extra token before and after the current time. This allows for a\r\ntime skew of up to 30 seconds between authentication server and client. If you\r\nexperience problems with poor time synchronization, you can increase the window\r\nfrom its default size of 3 permitted codes (one previous code, the current\r\ncode, the next code) to 17 permitted codes (the 8 previous codes, the current\r\ncode, and the 8 next codes). This will permit for a time skew of up to 4 minutes\r\nbetween client and server.\r\nDo you want to do so? (y\/n) y<\/code><\/pre>\n
Enable rate-limiting to prevent brute-force attacks. This allows a certain number of login attempts after which you are blocked.<\/p>\n
If the computer that you are logging into isn't hardened against brute-force\r\nlogin attempts, you can enable rate-limiting for the authentication module.\r\nBy default, this limits attackers to no more than 3 login attempts every 30s.\r\nDo you want to enable rate-limiting? (y\/n) y<\/code><\/pre>\n
To backup your secret, copy the .google_authenticatoe<\/code> file and save it somewhere safe.<\/p>\n
Enable SSH 2FA on Ubuntu 18.04<\/h3>\n
To enable SSH 2FA, you need to configure SSH as follows;<\/p>\n
Edit the \/etc\/pam.d\/sshd<\/code> and add the line,\u00a0auth required pam_google_authenticator.so<\/code>, at the end of the file.<\/p>\n
vim \/etc\/pam.d\/sshd<\/code><\/pre>\n
auth required pam_google_authenticator.so<\/code><\/pre>\n
If you need to make 2FA optional such that those who don’t have the TOTP token can login with their password or SSH key, you can add the keyword nullok<\/code> on the same line as in;<\/p>\n
auth required pam_google_authenticator.so nullok<\/span><\/code><\/pre>\n
Enable challenge-response passwords on SSH by editing the SSH configuration file and setting the value of ChallengeResponseAuthentication no<\/code> to yes<\/code>.
\n<\/span><\/p>\n
vim \/etc\/ssh\/sshd_config<\/code><\/pre>\n
ChallengeResponseAuthentication yes<\/code><\/pre>\n
Restart the SSH daemon<\/p>\n
systemctl restart sshd<\/code><\/pre>\n
Assuming you have already install the Google Authenticator App on your phone, you need to add the secret key generated to make it work. To simplify this, open the generated QR code link on the browser to access a sizeable QR code.<\/p>\n