Two factor authentication for ssh on Ubuntu server

Two factor authentication for ssh on Ubuntu server

Only using a password for ssh might make your server a target for ssh brute force password cracking. Adding two factor authentication for ssh on your Ubuntu server makes this a lot harder for potential hackers.

Google provides a tool called Google Authenticator, which is available for both Android and iOS. This tool acts as a code generator for the two factor authentication.

Every time you login via ssh, the server will prompt you for a code which you read from Google Authenticator.

In order to install Google Authenticator execute:

 $ sudo apt-get install libpam-google-authenticator

You might get the message:

E: Couldn't find package libpam-google-authenticator

If so you need to install Google Authenticator manually:

first create a temp folder:

 $ mkdir ~/tmp 

Goto the folder:

 $ cd ~/tmp 

Download the source from http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2:

 $ wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2 

Extract the source:

 $ tar -jxvf libpam-google-authenticator-1.0-source.tar.bz2 

Goto the extracted source folder:

 $ cd libpam-google-authenticator-1.0

Build the sourcecode:

 $ sudo make

Your build might fail because of a missing pam library. If so, install the library:

 $ sudo apt-get install libpam0g-dev

Try to build the sourcecode again:

 $ sudo make

Install the binary:

 $ sudo make install

Run Google Authenticator as your user (NOT AS ROOT):

 $ google-authenticator

Follow the on screen instructions and note the key, verification codes and emergency keycodes.

Install Google Authenticator to your smartphone and create a new account using your key.

Open your pam.d config:

 $ sudo nano /etc/pam.d/sshd 

Add

auth required pam_google_authenticator.so

Open your sshd_config and set ChallengeResponseAuthentication from no to yes:

 ChallengeResponseAuthentication yes

Restart your sshd:

 $ sudo service ssh restart

You should now be prompted for a verification code once you try to login with ssh.

Leave a Reply

Your email address will not be published. Required fields are marked *