SSH, the secure shell, is often used to access remote Linux systems. Because we often use it to connect with computers containing important data, it's recommended to add another security layer. Here comes the two factor authentication (2FA).
Multi-factor authentication is a method of confirming your identity using at least two different ways of authentication. The most common and easiest to implement example of two-factor authentication uses a combination of passphrase (a complex password, often made of several words) and one-time-passcode generated by a special mobile app.
$ sudo apt install libpam-google-authenticatorTo make SSH use the Google Authenticator PAM module, add the following line to the /etc/pam.d/sshd file.
auth required pam_google_authenticator.so
Reload SSH.
$ sudo systemctl restart sshd.serviceModify /etc/ssh/sshd_config like below.
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
SSH configuration is now complete. Now we'll configure the Google Authenticator app.
From terminal, run
$ google-authenticatorIt will ask you a series of questions, here is a recommended configuration:
- Make tokens "time-base": yes
- Update the .google_authenticator file: yes
- Disallow multiple uses: yes
- Increase the original generation time limit: no
- Enable rate-limiting: yes
You may have noticed the giant QR code that appeared during the process, underneath are your emergency scratch codes to be used if you don't have access to your phone: write them down on paper and keep them in a safe place.
That's all. Open Google Authenticator and scan your giant qr-code.
Also, reload SSH one more time.
To disable everything you just did, just remove auth required pam_google_authenticator.so from /etc/pam.d/sshd and... you guessed it, reload ssh.