This is a quick post that shows how I set up two-factor authenticator protection at login on Ubuntu or Debian
If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.
Buy a domain name here
Now on with the post.
I ensured I had a backup of my server. This is easy to do on UpCloud. If something goes wrong I will rollback.
Why Setup 2FA on SSH connections
1) Firewalls or whitelists may not protect you from detection.
2) SSH authorisation bypass bugs may appear.
I’ve just relased libssh 0.8.4 and 0.7.6 to address CVE-2018-10933. This is an auth bypass in the server. Please update as soon as possible! https://t.co/Qhra2TXqzm
— Andreas Schneider (@cryptomilk) October 16, 2018
2FA authorisation is another lube of defence.
Yubico Yubi Key
Read my block post here to learn how to use the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
It is important that you set the same timezone as the server you are trying to secure two 2FA. I can run this command on Linux to set the timezone.
Check the time command
sudo hwclock --show
Install Google Authenticator
sudo apt install libpam-google-authenticator
> Reading package lists…
> Building dependency tree
> Reading state information… Done
> The following additional packages will be installed:
> The following NEW packages will be installed:
> libpam-google-authenticator libqrencode3
> 0 upgraded, 2 newly installed, 0 to remove and 11 not upgraded.
> Need to get 56.8 kB of archives.
> After this operation, 183 kB of additional disk space will be used.
> Do you want to continue? [Y/n] y
> Get:1 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 libqrencode3 amd64 3.4.4-1build1 [23.9 kB]
> Get:2 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 libpam-google-authenticator amd64 20170702-1 [32.9 kB]
> Fetched 56.8 kB in 0s (426 kB/s)
> Selecting previously unselected package libqrencode3:amd64.
> (Reading database … 122554 files and directories currently installed.)
> Preparing to unpack …/libqrencode3_3.4.4-1build1_amd64.deb …
> Unpacking libqrencode3:amd64 (3.4.4-1build1) …
> Selecting previously unselected package libpam-google-authenticator.
> Preparing to unpack …/libpam-google-authenticator_20170702-1_amd64.deb …
> Unpacking libpam-google-authenticator (20170702-1) …
> Setting up libqrencode3:amd64 (3.4.4-1build1) …
> Processing triggers for libc-bin (2.27-3ubuntu1) …
> Processing triggers for man-db (2.8.3-2) …
> Setting up libpam-google-authenticator (20170702-1) …
Configure Google Authenticator
Run google-authenticator and answer the following questions
Q1) Do you want authentication tokens to be time-based (y/n): Y
You will be presented with a token you can add to the Yubico Authenticator or other authenticator apps,
TIP: Write down any recovery codes displayed
The 2FA code is now available for use in my YubiCo Authenticator app
Q2) Do you want me to update your “/root/.google_authenticator” file? (y/n): Y
Q3) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n): Y
Q4) By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y: Y
Q5) If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n): Y
Review Google Authenticator Config
sudo nano ~/.google_authenticator
You can change this if need be.
Edit SSH Configuration (Authentication)
sudo nano /etc/pam.d/sshd
Add the line below the line “@include common-auth”
auth required pam_google_authenticator.so
Comment out the following line (this is the most important step, this forces 2FA)
Edit SSH Configuration (Challenge Response Authentication)
Edit the ssh config file.
sudo nano /etc/ssh/sshd_config
Set this to
Ensure the following line exists
Add the following line
AuthenticationMethods publickey,password publickey,keyboard-interactive
Edit Common Auth
sudo nano /etc/pam.d/common-auth
Add the following line before the line that says “auth [success=1 default=ignore] pam_unix.so nullok_secure”
auth required pam_google_authenticator.so
Restart the SSH service and test the codes in a new terminal before rebooting.
TIP: Do not exit the working connected session and you may need it to fix issues.
Restart the SSH service a tets it
/etc/init.d/ssh restart [ ok ] Restarting ssh (via systemctl): ssh.service.
If you have failed to set it up authenticator codes will fail to work.
Further authentication required Using keyboard-interactive authentication. Verification code: Using keyboard-interactive authentication. Verification code: Using keyboard-interactive authentication. Verification code:
When it is configured OK (at login SSH connection) I was prompted for further information
Further Information required Using keyboard-interactive authentication Verification Code: ###### [email protected]#
I am now prompted at login to insert a 2FA token (after inserting my YubiKey)
Turn on 2FA on other sites
I hope this guide helps someone.
Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.
Ask a question or recommend an article
V1.4 June 2019: Works on Debian 9.9
V1.2 ssh auth bypass
v1.1 Authenticator apps
v1.0 Initial Post