By itself, SSH is already a secured way of connecting to a remote machine, but if you are still keen to add additional security to your SSH connection, you can add a two-factor authentication so you will be prompted to enter a random verification code when you connect via SSH. We have shown you how to do so in WordPress, LastPass, Facebook, Dropbox and Google. Here, we will show you how to add two-factor authentication to your SSH connection.
Note: This instruction here is based on Ubuntu server. If you are using another distro, some of the commands might vary.
On the machine that you want to install the two factor authentication, open a terminal session (if you have already logged into the remote machine, you are already in a terminal session). Type the following:
wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2 tar -xvf libpam-google-authenticator-1.0-source.tar.bz2
This will grab the google authenticator module and extract it to your Home folder (assuming you are on the home folder). Note that you can also use
git to clone the full google authenticator pacakge, but you need to have git installed in your system and it will fetch unwanted modules as well.
Next, we will install the dependencies and compile/install the module.
sudo apt-get install libpam0g-dev cd libpam-google-authenticator-1.0 make sudo make install
To complete the installation, run:
You will be prompted with a series of question. In most situation, you can type “y” (yes) as the answer. Anytime you have got the settings wrong, you can type
google-authenticator again to reset the settings.
- Do you want authentication tokens to be time-based (y/n)
After this question, you should see your secret key and emergency code. Record and save the detail. You will need the secret key to setup the Google Authenticator app later.
- Do you want me to update your “/home/username/.google_authenticator” file (y/n)
- Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chance to notice or even prevent man-in-the-middle attacks (y/n)
- By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)
- If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n)
Configuring your SSH to use the Google Authenticator module
sudo nano /etc/pam.d/sshd
Add this line to the top of the file:
auth required pam_google_authenticator.so
Save (Ctrl + o) and exit (Ctrl + x) the file.
Next, open the
sudo nano /etc/ssh/sshd_config
Scroll down the list till you find the line:
Change it to “yes”, so it becomes:
Save and exit the file.
Lastly, restart the ssh server:
sudo service ssh restart
Setting up new account in your Google Authenticator app
1. Open the Google Authenticator app in your smartphone. Press Menu and select “setup an account”.
2. Press “Enter key provided”.
3. Give your account a name and enter the secret key generated earlier.
Now when you connect via SSH to your remote computer, you will see the request for the verification key.
Note: The two-factor authentication only works for password-based login. If you are already using a public/private key for your SSH session, it will bypass the two-factor authentication and log you in directly.