Setting up 2FA using GoogleAuthenticator for SSH Access – Ubuntu

To get you up and running with a Virtual Server to set this up on please check out the following post:

Deploying a Virtual Machine on Piggybank’s cloud platform – The ultimate guide

Easy 2FA for your server

Setting up 2FA is usually a long process however if you just want something for a server or two here is a good way to get started.

The Google AUthenticator is actually free so we can just use PAM via SSH to plug into this.

First update the apt repositories

sudo apt-get update

Install the Package using apt-get

sudo apt-get install libpam-google-authenticator

Edit the ssh daemon PAM file

we will add the .so file which is a shared object file essentially a compiled binary file a bit like a windows DLL

nano /etc/pam.d/sshd

Add the following to the file

auth required pam_google_authenticator.so

Edit the sshd config file

This is the SSH config file for our Virtual server, we need to allow challengeResponse Authentication, this basically lets the server Ask us for a code so we enter our password then it can request more, so it challenged the user

nano /etc/ssh/sshd_config

Find the line:

ChallengeResponseAuthentication no

and change to

ChallengeResponseAuthentication yes

uncomment if need be (E.g. if its commented out delete the #)

Restart the SSH server

Now we have made changes we need to restart the SSH daemon / service this will ensure the new config is applied.

sudo service ssh restart

Generate a OTP (one time password) account

Now we need to create the seed which will essentially generate the same OTP on the server and then on the client.

Login as the user and run:

google-authenticator

If you need to change user e.g. you are root then run

su SOMEUSER

This will change you to that user.

Now we can import the google authenticator account onto our device, its a soft token so its all done via software, simply download the APP from android marketplace or IOS apple store and click import, you can just scan the QR code you see on your screen, you will see it simply keeps generating one time passwords.

Enter Yes to all and note the scratch codes or copy and paste the link.
Once the link has been copy and pasted into a browser it will show a QR code.
Scan this on your Google Authenticator App.
Or add it using the scratch codes, (theres a PC based APP).

Login

Now you have setup your OTP and app when you log in using that user the challenge response will kick in, it will ask for your OTP once you have entered a valid username and password.

enter your username
Your UNIX password
Your OTP on your app.

Done…

All done, a very simple way of securing access, don’t lose your token and ideally its only good for the odd few accounts on a server, the better way to do this would be using a 2FA solution which we will cover next.