add 2FA to SSH on a Ubuntu 18.04

Accessing a linux PC via SSH is a very common practice, but I decided to spice things up by adding 2 Factor Authentication(2FA) to the login process.  By using Pluggable Authentication Module(PAM).  PAM is interesting in that it opens the possibility of getting creative to authenticate a user, but I had Time-based One-time Password(TOTP) in mind, which is something I started using for my Google account.

This was a pretty quick process, simply install the package;

$ sudo apt install libpam-google-authenticator

and then run the following command;

$ google-authenticator

This will fire off a tutorial, I just said yes to all the questions.  An interesting feature is that this command line process will render an ASCII QR code so you can use Google Authenticator to scan in!  Pretty cool!

On my system, in order to enable PAM for SSH, I had to make the following modifications;

in

/etc/ssh/sshd_config

uncomment/set the following lines;

ChallengeResponseAuthentication yes
UsePAM yes
X11Forwarding yes
PrintMotd yes

and also in

/etc/pam.d/sshd

append the following line;

auth required pam_google_authenticator.so

(I also had to ensure that @include common-auth was not commented!)

 

and then finally restart sshd with;

sudo systemctl restart sshd.service

And this was all that was needed to add 2FA to my login process;

$ ssh user@minuk.net
Password:
Verfication code:

If anything is wrong, run

set

auth required pam_google_authenticator.so debug

in the /etc/pam.d/sshd file and then run;

$ tail -F /var/log/auth.log

this will give you some precious output on login attempts.

Leave a Reply