How to Set Up Two-Factor Authentication for SSH in Linux

Secure Shell, or SSH, is a cryptographic network protocol that enables secure access to devices over an unsecured network. It finds its applications in various use-cases, such as remote login, remote command-line access, and remote command execution.

If you’ve used SSH, you’d already know that it uses a single-factor authentication mechanism that requires either an SSH key or a password for authentication. Although this may not seem alarming at the outset, it does leave the system exposed to several open-ended vulnerabilities.

It’s, therefore, often recommended to enable two-factor authentication (2FA) for SSH to strengthen its security. In this article, we will discuss two-factor authentication in detail, along with a comprehensive guide on how to enable 2FA for SSH.

What Is Two-Factor Authentication?

Two-factor authentication, or 2FA, is a form of multi-factor authentication (MFA) mechanism that requires a second factor of authentication, in addition to the first factor, to authenticate your login and protect your account from unauthorized access.

You can think of 2FA as a verification code generated either by a code-generator app or a hardware token generator, which you need to provide at the time of login, after entering your password, to access your account.

When you sign up for an account on any online service, you create a password to secure it. This password acts as your first authentication factor, and it’s required by the service to authenticate you every time you log in to your account.

Why Should You Enable 2FA for SSH?

SSH, by default, authenticates you with either a public key or a password before establishing a connection between you and the other device/server.

In general, this configuration works absolutely fine, and you can get away with it in most cases. However, for times when you connect to a device/server that’s holding sensitive or personal information over SSH, you need an extra layer of protection on that system.

One way to do this is to enable two-factor authentication on the server/host computer, which protects its access over SSH and requires a second authentication factor for authenticating the client login.

As a result, even if someone manages to get hold of the client/host’s password, they still can’t access the system over SSH unless they also provide the 2FA code.

Related: How to Set Up SSH on Linux and Test Your Setup

How to Set Up 2FA for SSH in Linux

Getting 2FA for SSH up and running on Linux involves a series of steps. Here’s a breakdown of each step to guide you through the process.

Prerequisites

It goes without saying that you need an SSH server program installed on the system on which you want to enable 2FA. To verify this, open the terminal and type:

ssh -V

If you have an SSH server installed, move on to the next step. If not, enter the following command to install it:

sudo apt install openssh-server

Once the installation is complete, verify if SSH is enabled on the system. To do this, enter:

sudo systemctl status ssh

If your status reflects Active: active (running), you can proceed further. But in case it shows otherwise, enter the following command:

sudo systemctl enable ssh

In some cases, the firewall configuration can interfere with SSH and you might need to issue the below-given command to enable the SSH server on your system.

sudo ufw allow ssh

Step 1: Installing Google Authenticator PAM

With the OpenSSH server up and running on your host machine, the very first thing you need to do is install a Pluggable Authentication Module (PAM), which offers the necessary infrastructure to integrate multi-factor authentication for SSH in Linux.

Google Authenticator PAM is the most popular choice in this regard since it’s easier to implement and use than some of the other authentication modules. It offers all the necessary infrastructure required to authenticate users using Time-based One-time Password (TOTP) codes and has code generator apps available on Android and iOS.

To install Google Authenticator PAM, open a terminal window and run the following command:

sudo apt install libpam-google-authenticator

Enter y at the installation prompt to confirm the process.

Step 2: Configuring SSH

With Google Authenticator PAM now installed on your system, it’s time to make SSH use this module for authentication. For this, you need to edit a couple of configuration files.

We recommend taking a backup of these files to avoid running into problems if something goes wrong during the process. Once done, continue with the following steps:

1. Open the PAM configuration file using nano. Feel free to use any other Linux text editor.

   sudo nano /etc/pam.d/sshd

2. Append the following line to the file.

   auth required pam_google_authenticator.so

3. Save and exit the file editing window.
4. Restart the sshd service using systemctl.

   sudo systemctl restart sshd.service

Next, edit the SSH configuration file, which is responsible for SSH configuration.

1. Open the file using nano.

   sudo nano /etc/ssh/sshd_config

2. In this file, find the line ChallengeResonseAuthentication no and change its status from “no” to “yes“. This will instruct SSH to ask for an authentication code whenever someone attempts to log in to the system.
3. Save the file and restart the SSH daemon.

   sudo systemctl restart sshd.service

Step 3: Configuring Authenticator on Linux

Now that you’ve installed and configured SSH, you need to configure Google Authenticator to generate TOTP codes.

For this, open the terminal and initiate Google Authenticator with the following command:

google-authenticator

Google Authenticator will now present you with a series of questions. Answer these questions with either a yes (y) or a no (n). For most questions, the default answer is a yes unless you choose to select a non-default option.

Here’s a list of questions, in shortened form, that the app will ask you:

• Make authentication tokens time-based (y/n): y
• Update your “~/.google_authenticator” file (y/n): y
• Disallow multiple uses of the same authentication token?: y
• Increase code generation frequency (y/n): n
• Enable rate-limiting (y/n): y

Step 4: Configuring Authenticator on Phone

As soon as you respond to the first Google Authentication question with a yes, Google PAM will generate a QR code on your screen along with a secret key and a few recovery codes. Follow the steps below to register Google Authenticator on your phone.

But first, you need to download the Google Authenticator app on your smartphone.

Download: Google Authenticator for Android | iOS (Free)

1. Click on the Plus (+) sign and select Scan a code from the menu options.
2. Point your device’s camera to the QR code on your computer screen to automatically create an entry on the app.
3. Alternatively, select Enter a setup key from the Plus (+) menu and fill in the required entries. For this, first, give a name to your entry — it should be something that you can easily recognize — and then, type the secret key displayed below the QR code on your screen.
4. Finally, tap Add to save the entry.

As a precautionary measure, copy all the recovery codes displayed below the QR code and save them to a safe location. You might need them if you can’t access Google Authenticator on your phone or lose its access.

Related: How to Switch Google Authenticator to a New Phone

Securing SSH Access on Linux With 2FA

If you followed the above instructions correctly, you should have two-factor authentication for SSH enabled on your Linux system.

Now, every time you want to access this server/device over SSH, you’ll need to, first, enter the SSH password (first factor), and subsequently, enter the TOTP code (second factor) from Google Authenticator app to authenticate your login. This is a great way to manage and secure your remote SSH logins from intruders on the internet.

Source: makeuseof.com