This is a quick post that shows how I set up two-factor authenticator protection at login on Ubuntu or Debian

Advertisement:

Aside

If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.

Buy a domain name here

Now on with the post.

Backup

I ensured I had a backup of my server. This is easy to do on UpCloud. If something goes wrong I will rollback.

Why Setup 2FA on SSH connections

1) Firewalls or whitelists may not protect you from detection.

2) SSH authorisation bypass bugs may appear.

I’ve just relased libssh 0.8.4 and 0.7.6 to address CVE-2018-10933. This is an auth bypass in the server. Please update as soon as possible! https://t.co/Qhra2TXqzm

— Andreas Schneider (@cryptomilk) October 16, 2018

2FA authorisation is another lube of defence.

Yubico Yubi Key

Read my block post here to learn how to use the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software

Timezone

It is important that you set the same timezone as the server you are trying to secure two 2FA. I can run this command on Linux to set the timezone.

Check the time command

Output

2018-10-14 20:34:02.994867+1100

Install Google Authenticator

Output

> Reading package lists…
> Building dependency tree
> Reading state information… Done
> The following additional packages will be installed:
> libqrencode3
> The following NEW packages will be installed:
> libpam-google-authenticator libqrencode3
> 0 upgraded, 2 newly installed, 0 to remove and 11 not upgraded.
> Need to get 56.8 kB of archives.
> After this operation, 183 kB of additional disk space will be used.
> Do you want to continue? [Y/n] y
> Get:1 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 libqrencode3 amd64 3.4.4-1build1 [23.9 kB]
> Get:2 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 libpam-google-authenticator amd64 20170702-1 [32.9 kB]
> Fetched 56.8 kB in 0s (426 kB/s)
> Selecting previously unselected package libqrencode3:amd64.
> (Reading database … 122554 files and directories currently installed.)
> Preparing to unpack …/libqrencode3_3.4.4-1build1_amd64.deb …
> Unpacking libqrencode3:amd64 (3.4.4-1build1) …
> Selecting previously unselected package libpam-google-authenticator.
> Preparing to unpack …/libpam-google-authenticator_20170702-1_amd64.deb …
> Unpacking libpam-google-authenticator (20170702-1) …
> Setting up libqrencode3:amd64 (3.4.4-1build1) …
> Processing triggers for libc-bin (2.27-3ubuntu1) …
> Processing triggers for man-db (2.8.3-2) …
> Setting up libpam-google-authenticator (20170702-1) …

Configure Google Authenticator

Run google-authenticator and answer the following questions

Q1) Do you want authentication tokens to be time-based (y/n): Y

You will be presented with a token you can add to the Yubico Authenticator or other authenticator apps,

TIP: Write down any recovery codes displayed

Scan the code with your 2FA Authenticator app (e.g Google Authenticator, Yubico Authenticator or freeOTP from https://freeotp.github.io)

The 2FA code is now available for use in my YubiCo Authenticator app

Q2) Do you want me to update your “/root/.google_authenticator” file? (y/n): Y

Q3) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n): Y

Q4) By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y: Y

Advertisement:

Q5) If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n): Y

Review Google Authenticator Config

You can change this if need be.

Edit SSH Configuration (Authentication)

Add the line below the line “@include common-auth”

Comment out the following line (this is the most important step, this forces 2FA)

Edit SSH Configuration (Challenge Response Authentication)

Edit the ssh config file.

Search For

Set this to

Ensure the following line exists

Add the following line

Edit Common Auth

Add the following line before the line that says “auth [success=1 default=ignore] pam_unix.so nullok_secure”

Restart the SSH service and test the codes in a new terminal before rebooting.

TIP: Do not exit the working connected session and you may need it to fix issues.

Restart the SSH service a tets it

If you have failed to set it up authenticator codes will fail to work.

Failed attempts

When it is configured OK (at login SSH connection) I was prompted for further information

I am now prompted at login to insert a 2FA token (after inserting my YubiKey)

Turn on 2FA on other sites

Check out https://www.turnon2fa.com and tutorials here.

I hope this guide helps someone.

Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

Revision History

V1.3 turnon2fa.com

V1.2 ssh auth bypass

v1.1 Authenticator apps

v1.0 Initial Post