How To Enable Multi-factor Authentication in SSH

Multi-factor authentication (MFA) is a secure way to log into SSH. In MFA, the user needs to provide password as well as another piece of authentication to log in securely. Typically, this is a one-time authentication code received on mobile via text, or generated by a mobile app. In this article, we will look how to enable multi-factor authentication in SSH.


How To Enable Multi-factor Authentication in SSH

Here are the steps to enable two-factor authentication in SSH in Ubuntu. As mentioned earlier, multi-factor authentication requires a one-time passcode in addition to the user password. We will use Google Authentication App for passcode generation. Here are the links to install Google Authenticator via Play Store and App Store.


1. Install Pre-requisites

Open terminal and run the following commands to download and install Google Authenticator PAM module.

$ sudo apt install libpam-google-authenticator

To ensure that SSH uses Google Authentication module, add the following line to /etc/pam.d/sshd file:

auth required pam_google_authenticator.so

Restart SSH service to apply changes

$ sudo systemctl restart sshd.service

Open /etc/ssh/sshd_config

$ sudo vi /etc/ssh/sshd_config

Change ChallengeResponseAuthentication from no to yes

# Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes # CHANGE THIS TO YES 

Also read : How to Enable IPv6 in Linux


2. Configure Authentication

Run google-authenticator command in terminal

$ google-authenticator

The app will ask you a series of questions. Here are their recommended responses.

Make tokens “time-base”": yes
Update the .google_authenticator file: yes
Disallow multiple uses: yes
Increase the original generation time limit: no
Enable rate-limiting: yes

You will see a giant QR code during the process, secret key, verification code, and a list of emergency scratch codes to be used in case you are unable to access your phone.

Please note them down and keep them handy.

Also read : How to Set Environment Variable in Linux


3. Add secret to Google Authenticator

Open Google Authenticator App on your mobile. Click on plus sign.

You will see two options

  1. Scan a barcode
  2. Enter a provided key

If you select option 1, you will be asked to scan a barcode obtained in step 3, using your phone camera.

If you select option 2, you will be asked to enter the secret key that you received in step 3.

Also enter a name to recognize this 2FA method for SSH. This is because Google Authenticator can be used to setup 2FA for other services also.

Save the changes.

Also read : How to Calculate CPU Utilization in Linux


4. Verify 2FA

Log into SSH. You will be asked to enter your password, as well as a passcode that you generate on Google Authenticator mobile app. You can generate passcode by opening the app and clicking the 2FA method you saved in step 3.

Leave a Reply

Your email address will not be published. Required fields are marked *