Secure SSH using two-factor authentication on Ubuntu 16.04

In this tutorial, we will describe the necessary steps to configure two-factor authentication (2FA) using Google authenticator on an Ubuntu 16.04 VPS. This application includes implementations of one-time passcode generators for several mobile platforms. This method adds another layer of protection to your server adding an extra step to the basic login procedure.

Table of Contents

1. Login via SSH

ssh root@IP_Address

2. Update the System Packages

Update all installed packages:

apt-get update && apt-get upgrade

3. Install Google Authenticator

Install the Google Authenticator package.

apt-get install libpam-google-authenticator

Once the package is installed, run the google-authenticator program to create a key for the user you will be logging with. The program can generate two types of authentication tokens – time-based and one-time tokens. Time-based passwords will change randomly at a certain amount of time, and one-time passwords are valid for a single authentication.

4. Run Google Authenticator

In our case, we will use time-based passwords. Run the program to create the keys

google-authenticator

You will be asked if you want the authentication to be time-based.

Do you want authentication tokens to be time-based (y/n) y

Big QR code will be generated in your terminal. You can scan the code with the authenticator application on your Android/iOS/Windows phone or tablet or enter the secret key generated on the screen.

Emergency scratch codes will also be generated. You can use these codes for authentication in case you lose your mobile device.

Your emergency scratch codes are:
80463533
68335920
89221348
12489672
11144603

Save the authentication settings for the root user by answering YES to the next question

Do you want me to update your "/root/.google_authenticator" file (y/n) y

5. Configure the Authenticator to Generate One-Time Passwords.

Next, you can configure the authenticator to generate one-time passwords. Since they last 30 seconds, all generated passwords can be used once.

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

You can use the next setting if you have time syncing issues across your devices, so we will not use this option

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

The next setting prevents brute-force attacks. You will only have three chances per 30 seconds to enter the correct password.

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Now we have the Google Authenticator application configured and the next step is to configure the authentication settings in openSSH. To do so, open the “/etc/pam.d/sshd” file and add the following line to the end of the file:

# vim /etc/pam.d/sshd

auth required pam_google_authenticator.so

Save the changes, and open the “/etc/ssh/sshd_config” file and enable Challenge Response Authentication.

# vim /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

6. Restart SSH Server

Save the file, and restart the SSH server for the changes to take effect.

systemctl restart ssh

If you closely followed this tutorial, two-factor authentication is enabled on your server and every time you try to login to your Ubuntu VPS via SSH you will have to enter your user’s password and the verification code generated by Google Authentication application on your mobile device.

Of course, you don’t have to secure SSH using two-factor authentication on Ubuntu 16.04, if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to secure SSH using two-factor authentication on Ubuntu 16.04. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post on how to secure SSH using two-factor authentication on Ubuntu 16.04, please share it with your friends on the social networks using the buttons below or leave a reply in the comments section. Thanks.

A new version is available here: Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04.

5 thoughts on “Secure SSH using two-factor authentication on Ubuntu 16.04”

Hector

April 21, 2017 at 10:24 am

Can this be implemented for any server or does it have to be a VPS? Thanks.
- admin
  
  April 22, 2017 at 12:48 am
  
  You can implement two-factor authentication on any server.
Benjamin

April 25, 2017 at 4:41 am

Please continue this great work and I look forward to more of your awesome blog posts.
meepmeep

May 8, 2017 at 3:05 pm

Is it possible to enable 2FA only for specific user / group on the server ?
- admin
  
  May 9, 2017 at 1:19 am
  
  Edit the /etc/ssh/sshd_config SSH configuration and add:
  
  UsePAM yes
  AuthenticationMethods publickey,password publickey,keyboard-interactive
  
  Edit the /etc/pam.d/sshd PAM configuration file and comment out the @include common-auth line:
  
  # Standard Un*x authentication.
  #@include common-auth
  
  Then add/modify the following lines:
  
  # Standard Un*x password updating.
  @include common-password
  auth required pam_google_authenticator.so nullok
  
  Restart SSH for the changes to take effect.
  
  Run google-authenticator as any users that need 2FA, and don’t run it for users where only SSH keys will be used.