In this tutorial, we will show you how to secure SSH using two-factor authentication on Ubuntu 16.04 LTS. For those of you who didn’t know, Securing SSH with two-factor authentication using Google Authenticator Two-step verification (also known as Two-factor authentication, abbreviated to TFA) is a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network. This is a special case of multi-factor authentication that might involve only one of the three authentication factors (a knowledge factor, a possession factor, and an inheritance factor) for both steps.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘
sudo‘ to the commands to get root privileges. I will show you the step-by-step secure SSH using two-factor authentication on a Ubuntu 16.04 (Xenial Xerus) server.
- A server running one of the following operating systems: Ubuntu 16.04, and any other Debian-based distribution like Linux Mint.
- It’s recommended that you use a fresh OS install to prevent any potential issues.
- SSH access to the server (or just open Terminal if you’re on a desktop).
non-root sudo useror access to the
root user. We recommend acting as a
non-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.
Secure SSH Using Two Factor Authentication on Ubuntu 16.04 LTS
Step 1. First, make sure that all your system packages are up-to-date by running the following
apt-get commands in the terminal.
sudo apt-get update sudo apt-get upgrade
Step 2. Installing Google Authenticator.
To install the package on Ubuntu, run the following command:
apt-get install libpam-google-authenticator
The next step is to get the verification code. It’s a very simple command to get the verification code and scratch codes by just answering simple questions of the server he will ask you. You can do that step by running the following command:
You will be prompted to answer a few questions; answer the first two questions with yes (y):
Do you want authentication tokens to be time-based (y/n) y
A big QR code will be generated in your terminal. You can scan the code with the authenticator application on your Android/iOS/Windows phone or tablet or enter the secret key generated on the screen.
Emergency scratch codes will also be generated. You can use these codes for authentication in case you lose your mobile device:
Your emergency scratch codes are: 80461001 68335920 89765548 12485672 11145603
Save the authentication settings for the root user by answering YES to the next question:
Do you want me to update your "/root/.google_authenticator" file (y/n) y
Next, you can configure the authenticator to generate one-time passwords. For the last 30 seconds, all generated passwords can be used once. Answer y to create the file that stores these settings:
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
You can use the next setting if you have time syncing issues across your devices, so we will not use this option:
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n
The next setting prevents brute-force attacks. You will only have three chances per 30 seconds to enter the correct password:
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
Congratulations! You have finished generating your key and adding it to your client, but some additional configuration is needed before these settings will go into effect.
The next step is to configure the authentication settings in openSSH. To do so, open the “
/etc/pam.d/sshd” file and add the following line to the end of the file:
### nano /etc/pam.d/sshd auth required pam_google_authenticator.so
Save the changes, open the “
/etc/ssh/sshd_config” file and enable Challenge-Response Authentication:
### nano /etc/ssh/sshd_config ChallengeResponseAuthentication yes
Finally, save the file and restart the SSH server for the changes to take effect:
systemctl restart ssh
Congratulations! You have successfully secured SSH. Thanks for using this tutorial for secure SSH using two-factor authentication on Ubuntu 16.04 LTS (Xenial Xerus) system. For additional help or useful information, we recommend you to check the official SSH website.