Enable SSH 2-Factor Authentication on Ubuntu Server 22.04

Posted
Comments 0

Learn how to install Google Authenticator to enable 2FA on Ubuntu server edition 22.04

Today I’ll show you how to install Google Authenticator to enable 2-Factor Authentication (2FA) for SSH on Ubuntu Server 22.04. Enabling 2-Factor Authentication drastically increases security on your Ubuntu server because even if your username and password are compromised, a hacker would still need to access your phone to login to your server.

Contents

Prerequisites

  • You will need a mobile phone with Google Authenticator installed (see iPhone or Android )
  • You will need either root access, or a user with sudo privileges on your Ubuntu server (see initial server setup guide)

Install Google Authenticator

Let’s begin by installing the Google Authenticator package:

sudo apt install libpam-google-authenticator -y

Let’s run the Google Authenticator app to generate a QR code (note* do not use sudo for this command otherwise it will be setup for root instead of your current user):

google-authenticator
Scan the generated QR code

I recommend you answer the questions as follows:

  • Do you want authentication tokens to be time-based? – Yes
  • Go ahead and scan the QR code (tap the Plus + icon, then tap Scan QR Code), then enter the newest code on your Authenticator phone app, then ENTER
  • Note down your emergency scratch codes
  • Do you want me to update your ‘/home/username/.google_authenticator’ file? – Yes
  • Do you want to disallow multiple uses of the same authentication token? – Yes
  • For the extend time in order to compensate for possible time-skew question – Yes or No (up to you)
  • Do you want to enable rate-limiting? – Yes

Enable the SSH Daemon for 2FA

Now we configure your SSH daemon to work with 2FA and the Google Authenticator package. Open your SSH configuration file:

sudo nano /etc/ssh/sshd_config

Change the following two options to yes:

KbdInteractiveAuthentication yes
UsePAM yes
Enable options in ssh config

Then save ctrl + o, ENTER and exit nano ctrl + x.

We also need edit the PAM configuration file and add Google Authenticator:

sudo nano /etc/pam.d/sshd

Then just after the @include common-auth add the following line:

auth required pam_google_authenticator.so
Add the Google Authenticator line to PAM file

Then save ctrl + o, ENTER and exit nano ctrl + x.

Finally, we restart the SSHD service:

sudo systemctl restart sshd

Test 2-Factor Authentication

Open your SSH client (i.e. PuTTY) and login with username, password, then enter the code on your Google Authenticator app.

Test 2FA

Conclusion

You should now have 2-Factor Authentication enabled on your Ubuntu server using the Google Authenticator app. If you had any trouble, hit me up in the comments or socials/email, and don’t forget my Newsletter Sign Up for all the latest tutorials delivered to your inbox.

See Also

Further Reading

Author
Categories Ubuntu, Firewalls & Security

Comments

There are currently no comments on this article.

Comment

Enter your comment below. Fields marked * are required. You must preview your comment before submitting it.