Last active
June 7, 2020 15:19
-
-
Save NicolaiSoeborg/e11b45fa408ec8abff52b7044bf12c65 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Install fail2ban (ratelimit auth) and google auth (MFA) | |
| sudo apt install fail2ban libpam-google-authenticator | |
| # Setup MFA: | |
| google-authenticator | |
| # I'm using: y, y, n, n, y | |
| Add `auth required pam_google_authenticator.so` to the end of `/etc/pam.d/sshd` | |
| Also comment out `@include common-auth` after doing the steps below. | |
| In `/etc/ssh/sshd_config`: | |
| * set `ChallengeResponseAuthentication yes` | |
| * add `AuthenticationMethods publickey,password publickey,keyboard-interactive` | |
| ## Stuff to keep in mind | |
| If your home-folder is encrypted (i.e. per user encrypted folders, not full disk encryption), then you need the folder to be decrypted, before trying to read `~/.google_authenticator` Or you need to move the MFA secret. | |
| If you are rolling out the MFA on a system with multiple users, you probably want to use `auth required pam_google_authenticator.so nullok` until everyone uses MFA. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment