The digital revolution, remote work, and the cloud have advanced the evolution of two-factor authentication and multi-factor authentication, and single sign-on (SSO) solutions. SSO is all about providing users with access to their resources through a single sign-on authentication. 2FA and Multi-Factor Authentication (MFA) are similar in that they both add a second layer of security to a system. While MFA uses two or more of these checkpoints, two-factor authentication uses only two of these methods to verify and authorize a user’s login attempts. In this guide, you will learn how to set Two-Factor Authentication for SSH in Linux.

Why add an extra layer of Security?

Adding an extra layer of security to remote systems has become very necessary because there has been a significant increase in cyberattacks and credential theft attacks. In a Linux system environment, SSH, or secure shell, is frequently used to establish connections to remote Linux systems. Because we frequently use it to connect to computers containing sensitive data, it is recommended that another security layer be added. Two-factor authentication (2FA) is a perfect second security layer that works well in this condition. In this article, you will learn how to Enable Two-Factor Authentication for SSH in Linux.

Two-factor authentication adds an extra layer of security because users must provide additional information in addition to their username and password. This data is a temporary, numeric password that is generated independently on the server. In this article, you will learn how to enable Two-Factor Authentication for SSH in Linux.

You may be interested in reading about the following related posts; Rolling out Multi-factor Authentication – Recommendations, Microsoft Azure Multi-Factor Authentication (MFA) Errors associated with Pleasant Password RDP SSO and SSH SSO, How to configure and use Pleasant Password RDP SSO, and How to fix Sign-in issues, non-routable domain, invalid username, and password for Single Sign On.

What is 2FA?

Two-factor authentication (2FA) is the most basic and effective method of adding a secure layer of authentication to the login credentials. After entering their credentials, users must verify their identity using an independent factor (email, SMS, security questions, social profile, etc.). The use of these protocols limits suspicious login attempts to the system, even if the consumer’s password is compromised maliciously.

What is Secure Socket Shell (SSH)?

Secure Socket Shell (SSH), also simply known as Secure Shell, is a cryptographic protocol that allows secure access to remote servers and devices over the internet. It is based on public key cryptography and provides a mechanism for mutual authentication between the server and the client as well as an encrypted channel of communication over an unsecured network.

Prerequisite for setting up Two-Factor Authentication for SSH in Linux

To get along with me in this post, you need to have the following tools available:

A computer running Ubuntu 20.04 LTS or above,
A phone running Android or iOS,
A configured SSH connection.

Enabling Two-Authentication for SSH

In order to set Two-Factor Authentication for SSH in Linux, do the following:

Step 1 – Install and configure the required packages. Do this by starting a terminal session and running the below command to install the Google Authenticator PAM module:

sudo apt install libpam-google-authenticator

Installing-Google-Authenticator-App — Installing Google Authenticator App

After installing it, stay logged in as the root user, and then switch user command (su) to switch, log in to your server as a normal (that is, non-root) user and type:

google-authenticator

When the prompt, “Do you want authentication tokens to be time-based?” displays, type y and then press Enter.

Type-Yes- — Setting the Time-based Authentication Tokens

The system creates a QR code image as well as emergency scratch codes. Scan the QR code image with your mobile device to set up the account.

Keep the secret key and emergency codes in a secure location. If you ever lose your mobile device or it becomes inoperable for any reason, you must have one of these emergency codes. You will be unable to access your account otherwise.

On the system, you will receive the "Do you want me to update your "/home/<username>/.google_authenticator?" file on the server? prompt, enter y, and then click OK. You will also receive the prompt, "Do you want to disallow multiple users from using the same authentication token? prompt, enter y, and then click OK. Repeat the same steps for all other prompts by typing y and then pressing the Enter key.

Configuring-the-Google-App — Configuring the Authentication Prompts

Configuring SSH on Linux

Next, switch the user to the root user, and open the /etc/pam.d/sshd file in your preferred text editor and add the following line to the top of the file

auth required pam_google_authenticator.so nullok

Adding-the-auth-athentication-file — Adding a file to `/etc/pam.d/sshd` file

Save and exit the editor.

The nullok command as added to the command above allows users who have not yet enabled two-factor authentication to log in with just a username and password. When configuring two-factor authentication for the first time, it is a good idea to use this setting. Once you’ve configured two-factor authentication for all of your users, you can remove the nullok setting to make it mandatory.

The next thing in configuring the SSH is to restart the sshd daemon by running the below command:

sudo systemctl restart sshd.service

Modify /etc/ssh/sshd_config – change ChallengeResponseAuthentication from no to yes, so this part of the file looks like this:

Modifying-the-Challenge-Response-Auth — Modifying the Challenge Response Authentication File

Save the above file and exit your editor. As the root user, restart the SSH service by running:

service ssh restart

Test the two-factor authentication for SSH

Now, log in as a normal user by switching users. Enter the numeric password displayed by the authenticator app on your mobile device at the Verification code prompt.

Finally, to log in, enter the user’s password at the Password prompt.

Disabling two-factor authentication for SSH

You can disable two-factor authentication with SSH if you no longer want to use it. Follow these steps to accomplish this:

Step 1 – Log in to your server using SSH. After you have logged in, pen the /etc/pam.d/sshd file in your preferred text edito

Save and exit the editor.

Step 2 – Open the /etc/ssh/sshd_config file in your preferred text editor and change the ChallengeResponseAuthentication yes to no:

Modifying-the-Challenge-Response-Auth.2jpg — Disabling 2FA

Lastly, run service sshd restart with the sudo privileges. This disables 2FA from your computer completely.

I hope you found this blog post helpful. In this article, you have learned how to Set Two-Factor Authentication for SSH in Linux. If you have any questions, please let me know in the comment session.