In this tutorial, we will show you how to secure SSH using two-factor authentication on Ubuntu 16.04 LTS. For those of you who didn’t know, Securing SSH with two-factor authentication using Google Authenticator Two-step verification (also known as Two-factor authentication, abbreviated to TFA) is a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network. This is a special case of multi-factor authentication that might involve only one of the three authentication factors (a knowledge factor, a possession factor, and an inheritance factor) for both steps.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo’ to the commands to get root privileges. I will show you through the step by step secure SSH using two-factor authentication on a Ubuntu 16.04 (Xenial Xerus) server.
Secure SSH Using Two Factor Authentication on Ubuntu 16.04 LTS
Step 1. First, make sure that all your system packages are up-to-date by running these following apt-get commands in the terminal.
Step 2. Installing Google Authenticator.
To install the package on Ubuntu, run the following command:
The next step is to get the verification code. It’s a very simple command to get the verification code and scratch codes by just answering simple questions of the server which he will ask you. You can do that step by running the following command:
You will be prompted to answer a few questions; answer the first two questions with yes (y):
A big QR code will be generated in your terminal. You can scan the code with the authenticator application on your Android/iOS/Windows phone or tablet or enter the secret key generated on the screen.
Emergency scratch codes will also be generated. You can use these codes for authentication in case you lose your mobile device:
Save the authentication settings for the root user by answering YES to the next question:
Next, you can configure the authenticator to generate one-time passwords. Since they last 30 seconds, all generated passwords can be used once. Answer y to create the file that stores these settings:
You can use the next setting if you have time syncing issues across your devices, so we will not use this option:
The next setting prevents brute-force attacks. You will only have three chances per 30 seconds to enter the correct password:
Congratulations! You have finished generating your key and adding it to your client, but some additional configuration is needed before these settings will go into effect.
The next step is to configure the authentication settings in openSSH. To do so, open the “/etc/pam.d/sshd” file and add the following line to the end of the file:
### nano /etc/pam.d/sshd
Save the changes, and open the “/etc/ssh/sshd_config” file and enable Challenge-Response Authentication:
### nano /etc/ssh/sshd_config
Finally, save the file and restart the SSH server for the changes to take effect:
Congratulations! You have successfully secured SSH. Thanks for using this tutorial for secure SSH using two-factor authentication on Ubuntu 16.04 LTS (Xenial Xerus) system. For additional help or useful information, we recommend you to check the official SSH website.