When you open your Linux server for SSH login, there is always the possibility that someone can break into that server and do bad things. You don’t want that, but how do you prevent such a practice? One way is to enable two-factor authentication on the server. Once enabled, only people with a properly generated 2FA code (along with their usual login credentials) will be granted access.
How do you setup SSH 2FA on your Ubuntu Server? I will show you.
UNDERSTAND: Over 40 Linux and Open Source Terms you need to know (TechRepublic Premium)
What you need
The only thing you need to make this work is:
- Running instance of Ubuntu Server 22.04.
- A user with sudo privileges.
That’s it – let’s do some 2FA magic.
How to install the necessary software
The first thing to do is install a single package: Google Authenticator. This is a command line tool that makes it possible to add 2FA authentication on your server.
Log in to your Ubuntu instance and issue the command:
sudo apt-get install libpam-google-authenticator -y
You will then need to run the command to generate the secret key. That command is:
google-authenticator
You will be asked if you want the time-based auth token that you want. Type y and press Enter on your keyboard. You will then be provided with a QR code that can be scanned by your 2FA app.
There is one problem to deal with: If you log directly into the terminal of the physical machine in question, you may not be able to see the full code. Your best bet is to login via SSH, so you can resize the terminal to see the full QR code (Picture A).
Picture A
Scan the QR code with your 2FA app (such as Authy) or enter the secret key if the code is too large for the app to scan and press enter. You will then be prompted to enter a code from the app so the account can be confirmed. After confirmation, you will see the emergency codes for 2FA. Make sure to copy and save them somewhere safe such as a password manager and then type y when prompted to update the ~/.google_authenticator file. Next, you will be prompted to disallow the use of the same auth token more than once. Go ahead and type y accept this, as it can help prevent man-in-the-middle attacks. When prompted, enter y for the last question to allow a maximum time difference of 30 seconds between the auth server and the client.
You’ll also want to enable rate limiting when prompted by typing y, which limits attackers to no more than three logins every 30 seconds.
How to configure SSH daemon for 2FA
Now that 2FA is installed and configured, we must also configure the SSH daemon to use it. Open the SSH daemon configuration file with:
sudo nano /etc/ssh/sshd_config
First, locate the following line and make sure it is set to yes:
UsePAM yes
Next, find the following line and change no to yes:
KbdInteractiveAuthentication no
Save and close the file.
Note: In Ubuntu releases prior to 22.04, the above line would be:
ChallengeResponseAuthentication yes
Next, open the PAM configuration file with:
sudo nano /etc/pam.d/sshd
Under the @include common-auth line, add the following:
auth required pam_google_authenticator.so
Save and close the file.
Restart the SSH daemon with:
sudo systemctl restart sshd
Next, open a new terminal window and try to login to the remote machine. You will first be prompted for your user password and then prompted for a 2FA code. After successfully entering the 2FA code, you will be allowed to access the server.
How to Enable 2FA with SSH Key Authentication
If you use SSH Key Authentication (and you should), you have to take an extra step. On the server, open the SSH daemon configuration file with:
sudo nano /etc/ssh/sshd_config
At the end of that file, add the following line:
AuthenticationMethods publickey,keyboard-interactive
Save and close the file.
Restart SSH with:
sudo systemctl restart sshd
Once you have verified SSH Key Authentication works, you can disable password authentication by opening the SSH configuration with:
sudo nano /etc/ssh/sshd_config
Locate the following line:
PasswordAuthentication yes
Change into:
PasswordAuthentication no
Restart SSH with:
sudo systemctl restart sshd
Congratulations, you have just configured Ubuntu Server 22.04 for a much more secure SSH login process. Just make sure that when you do this, you are testing through a second terminal window, so you can stay logged in to the original if there are any issues (and you can reset configuration). Enjoy that extra layer of security.
Subscribe to TechRepublic’s How to make technology work on YouTube for all the latest tech advice for business professionals from Jack Wallen.
