Pro Tips

Secure Your SSH Access with Google Authenticator

Securing your SSH access is crucial to maintaining the integrity of your system.

One effective way to enhance security is by implementing two-factor authentication (2FA) using Google Authenticator. In this guide, we’ll walk you through the steps to set up Google Authenticator on your Ubuntu system.

Install Google Authenticator

First, update your package list and install the Google Authenticator package by running the following commands:

sudo apt update
sudo apt install libpam-google-authenticator

After installation, run google-authenticator to configure Google Authenticator.

Configure Google Authenticator

When prompted, answer “y” to save the authentication codes to your home directory (~/). For the rest of the questions, select “n” for testing, and to ensure optimal security “y”.

Update SSH Configuration

Edit the SSH daemon configuration file by running:

sudo nano /etc/ssh/sshd_config

Ensure the following lines are uncommented and set as follows:

ChallengeResponseAuthentication yes
PasswordAuthentication yes
KbdInteractiveAuthentication no

Update PAM Configuration

Next, edit the PAM configuration file for SSH:

sudo nano /etc/pam.d/common-auth

Add the following lines at the end of the file:

# Google Authenticator
auth required nullok
auth required

Next open:

sudo nano /etc/pam.d/sshd

Add the following at the end of the file.

# Google Authenticator
auth required

Save the changes and exit the editor.

Note that common-auth is when you switch users su - username and sshd is when you log in via SSH e.g. with PuTTY.

Restart SSH Service

To apply the changes, restart the SSH service:

sudo systemctl restart sshd

You may want to test that everything is working properly before you close your current session.

Also, when you log in via SSH you will a message like this Keyboard-interactive authentication prompts from server: and will always need to enter your authentication code twice.

That’s it! Your SSH access is now protected with Google Authenticator’s two-factor authentication.

From now on, when you log in via SSH, you’ll be prompted to enter a verification code from your Google Authenticator app in addition to your password, significantly enhancing the security of your system.

Moreover, you can have an FTP user who will also need to enter an authentication code, and make sure the the ownership of the .google-authenticator file has the correct permissions. E.g. if your user is in sftp group you need to have username:sftp and then 0600 set permissions to the file.

Leave a Reply

Your email address will not be published. Required fields are marked *