If systems are already using passwords for SSH authentication, one way to increase security for the users without needing to immediately switch to Public Keys is to use 2FA. Implementing Google Authenticator for SSH authentication adds an extra layer of security to your server environment. Google Authenticator generates time-based one-time passwords (TOTPs) that are only valid for a short period, typically 30 seconds. This means even if an attacker manages to obtain a user's password, they would still need access to the user's mobile device where the authenticator app is installed to generate the correct code for authentication. By enabling Google Authenticator, you significantly enhance the security posture of your SSH server.
The following instructions for set up are using an Ubuntu server as an example for configuration.
- Install the Google Authenticator PAM module
sudo apt-get install libpam-google-authenticator -y
- Generate Authentication Tokens: The token generation has to be done for each user in the system. Run the following command for the user to generate the 2FA token.
google-authenticator
- You will be prompted with several questions. Carefully read the description for each to customize your desired settings. Here's a breakdown of recommended defaults.
- Do you want authentication tokens to be time-based? Enter y for yes.
- Do you want me to update your "username/.google_authenticator" file? Enter y for yes.
- Do you want to disallow multiple uses of the same authentication token? Enter y for yes.
- Do you want to do so? Enter n for no.
- Do you want to enable rate-limiting? Enter y for yes.
- The system prints out a QR code or the token string to the console during the above process. The user can scan the QR code with an authenticator application like Google Authenticator or Authy. Or alternatively add a new account to the authenticator app and manually enter the token string.
- Configure SSH: Edit the SSH configuration file /etc/ssh/sshd_config. You can use any text editor, for example
sudo vi /etc/ssh/sshd_config
- Make sure the following settings are configured:
- ChallengeResponseAuthentication should be set to yes. On newer SSH versions this may be KbdInteractiveAuthentication
- PubkeyAuthentication should be set to no.
- If PubkeyAuthentication is set to yes. Public key authentication will take priority and bypass the 2FA prompt.
- These settings ensure that Google Authenticator will be used for SSH authentication and disable public key authentication.
- Make sure the following settings are configured:
- Update PAM configuration: Edit the PAM configuration file for SSH /etc/pam.d/sshd. You can use any text editor, for example
sudo vi /etc/pam.d/sshd
- Add the following line to the file:
auth required pam_google_authenticator.so
- Restart SSH Service
sudo systemctl restart sshd
With these steps, you should have Google Authenticator set up for SSH such that the server will prompt for the users password then 2FA token on login.
