Securing your SSH access is crucial to maintaining the integrity of your system.
One effective way to enhance security is by implementing two-factor authentication (2FA) using Google Authenticator. In this guide, we’ll walk you through the steps to set up Google Authenticator on your Ubuntu system.
Install Google Authenticator
First, update your package list and install the Google Authenticator package by running the following commands:
sudo apt update
sudo apt install libpam-google-authenticator
After installation, run google-authenticator to configure Google Authenticator.
Configure Google Authenticator
When prompted, answer “y” to save the authentication codes to your home directory (~/). For the rest of the questions, select “n” for testing, and to ensure optimal security “y”.
Update SSH Configuration
Edit the SSH daemon configuration file by running:
sudo nano /etc/ssh/sshd_config
Ensure the following lines are uncommented and set as follows:
ChallengeResponseAuthentication yes
PasswordAuthentication yes
KbdInteractiveAuthentication no
Update PAM Configuration
Next, edit the PAM configuration file for SSH:
sudo nano /etc/pam.d/common-auth
Add the following lines at the end of the file:
# Google Authenticator
auth required pam_google_authenticator.so nullok
auth required pam_permit.so
Next open:
sudo nano /etc/pam.d/sshd
Add the following at the end of the file.
# Google Authenticator
auth required pam_google_authenticator.so
Save the changes and exit the editor.
Note that common-auth is when you switch users su - username and sshd is when you log in via SSH e.g. with PuTTY.
Restart SSH Service
To apply the changes, restart the SSH service:
sudo systemctl restart sshd
You may want to test that everything is working properly before you close your current session.
Also, when you log in via SSH you will a message like this Keyboard-interactive authentication prompts from server: and will always need to enter your authentication code twice.
That’s it! Your SSH access is now protected with Google Authenticator’s two-factor authentication.
From now on, when you log in via SSH, you’ll be prompted to enter a verification code from your Google Authenticator app in addition to your password, significantly enhancing the security of your system.
Moreover, you can have an FTP user who will also need to enter an authentication code, and make sure the the ownership of the .google-authenticator file has the correct permissions. E.g. if your user is in sftp group you need to have username:sftp and then 0600 set permissions to the file.