How to Enable Two-Factor Authentication for SSH Connection

By itself, SSH is already a secured way of connecting to a remote machine, but if you are still keen to add additional security to your SSH connection, you can add a two-factor authentication so you will be prompted to enter a random verification code when you connect via SSH. We have shown you how to do so in WordPress, LastPass, Facebook, Dropbox and Google. Here, we will show you how to add two-factor authentication to your SSH connection.

Note: This instruction here is based on Ubuntu server. If you are using another distro, some of the commands might vary.

On the machine that you want to install the two factor authentication, open a terminal session (if you have already logged into the remote machine, you are already in a terminal session). Type the following:

wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
tar -xvf libpam-google-authenticator-1.0-source.tar.bz2

This will grab the google authenticator module and extract it to your Home folder (assuming you are on the home folder). Note that you can also use git to clone the full google authenticator pacakge, but you need to have git installed in your system and it will fetch unwanted modules as well.

Next, we will install the dependencies and compile/install the module.

sudo apt-get install libpam0g-dev
cd libpam-google-authenticator-1.0
make
sudo make install

To complete the installation, run:

google-authenticator

You will be prompted with a series of question. In most situation, you can type “y” (yes) as the answer. Anytime you have got the settings wrong, you can type google-authenticator again to reset the settings.

  • Do you want authentication tokens to be time-based (y/n)

After this question, you should see your secret key and emergency code. Record and save the detail. You will need the secret key to setup the Google Authenticator app later.

google-authentication-secret-key

  • Do you want me to update your “/home/username/.google_authenticator” file (y/n)
  • Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chance to notice or even prevent man-in-the-middle attacks (y/n)
  • By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)
  • If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n)

Open the pam.d/sshd file:

sudo nano /etc/pam.d/sshd

Add this line to the top of the file:

auth       required     pam_google_authenticator.so

Save (Ctrl + o) and exit (Ctrl + x) the file.

Next, open the sshd_config file

sudo nano /etc/ssh/sshd_config

Scroll down the list till you find the line:

ChallengeResponseAuthentication no

Change it to “yes”, so it becomes:

ChallengeResponseAuthentication yes

Save and exit the file.

Lastly, restart the ssh server:

sudo service ssh restart

1. Open the Google Authenticator app in your smartphone. Press Menu and select “setup an account”.

google-authenticator-setup-account

2. Press “Enter key provided”.

google-authenticator-enter-key

3. Give your account a name and enter the secret key generated earlier.

Done.

Now when you connect via SSH to your remote computer, you will see the request for the verification key.

google-authentication-verification-code

Note: The two-factor authentication only works for password-based login. If you are already using a public/private key for your SSH session, it will bypass the two-factor authentication and log you in directly.

Do you like what you read here?

Receive the latest update in your inbox.

Or connect with us: