Accessing a linux PC via SSH is a very common practice, but I decided to spice things up by adding 2 Factor Authentication(2FA) to the login process. By using Pluggable Authentication Module(PAM). PAM is interesting in that it opens the possibility of getting creative to authenticate a user, but I had Time-based One-time Password(TOTP) in mind, which is something I started using for my Google account.
This was a pretty quick process, simply install the package;
$ sudo apt install libpam-google-authenticator
and then run the following command;
This will fire off a tutorial, I just said yes to all the questions. An interesting feature is that this command line process will render an ASCII QR code so you can use Google Authenticator to scan in! Pretty cool!
On my system, in order to enable PAM for SSH, I had to make the following modifications;
uncomment/set the following lines;
and also in
append the following line;
auth required pam_google_authenticator.so
(I also had to ensure that
@include common-auth was not commented!)
and then finally restart sshd with;
sudo systemctl restart sshd.service
And this was all that was needed to add 2FA to my login process;
$ ssh firstname.lastname@example.org Password: Verfication code:
If anything is wrong, run
auth required pam_google_authenticator.so debug
/etc/pam.d/sshd file and then run;
$ tail -F /var/log/auth.log
this will give you some precious output on login attempts.