This is a quick post that shows how I set up two-factor authenticator protection at login on Ubuntu or Debian
Aside
If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.
Buy a domain name here
Now on with the post.
Backup
I ensured I had a backup of my server. This is easy to do on UpCloud. If something goes wrong I will rollback.
Why Setup 2FA on SSH connections
1) Firewalls or whitelists may not protect you from detection.
2) SSH authorisation bypass bugs may appear.
I’ve just relased libssh 0.8.4 and 0.7.6 to address CVE-2018-10933. This is an auth bypass in the server. Please update as soon as possible! https://t.co/Qhra2TXqzm
— Andreas Schneider (@cryptomilk) October 16, 2018
2FA authorisation is another lube of defence.
Yubico Yubi Key
Read my block post here to learn how to use the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
Timezone
It is important that you set the same timezone as the server you are trying to secure two 2FA. I can run this command on Linux to set the timezone.
On Debian, I set the time using this guide.
Check the time command
> timedatectl
> Local time: Tue 2019-06-25 16:45:20 UTC
> Universal time: Tue 2019-06-25 16:45:20 UTC
> RTC time: Wed 2019-06-26 02:37:44
> Time zone: Etc/UTC (UTC, +0000)
> Network time on: yes
> NTP synchronized: yes
> RTC in local TZ: no
I set the timezone
> sudo timedatectl set-timezone Australia/Sydney
I confirmed the timezone
> timedatectl
> Local time: Wed 2019-06-26 02:47:42 AEST
> Universal time: Tue 2019-06-25 16:47:42 UTC
> RTC time: Wed 2019-06-26 02:40:06
> Time zone: Australia/Sydney (AEST, +1000)
> Network time on: yes
> NTP synchronized: yes
> RTC in local TZ: no
I installed a npt time server
I followed this guide to install an NTP time server (failed at: ntpdate linuxconfig.ntp) and this guide to manually sync
I installed the Google Authenticator app
sudo apt-get install libpam-google-authenticator
Configure Google Authenticator
Run google-authenticator and answer the following questions
Q1) Do you want authentication tokens to be time-based (y/n): Y
You will be presented with a token you can add to the Yubico Authenticator or other authenticator apps,
TIP: Write down any recovery codes displayed
Scan the code with your 2FA Authenticator app (e.g Google Authenticator, Yubico Authenticator or freeOTP from https://freeotp.github.io)
The 2FA code is now available for use in my YubiCo Authenticator app
Q2) Do you want me to update your “/root/.google_authenticator” file? (y/n): Y
Q3) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n): Y
Q4) By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between the authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y: Y
Q5) If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n): Y
Review Google Authenticator Config
You can change this if need be.
sudo nano ~/.google_authenticator
Edit SSH Configuration (Authentication)
Add the line below the line “@include common-auth”
Comment out the following line (this is the most important step, this forces 2FA)
Edit SSH Configuration (Challenge Response Authentication)
Edit the ssh config file.
Search For
Set this to
Ensure the following line exists
UsePAM yes
Add the following line
Edit Common Auth
Add the following line before the line that says “auth [success=1 default=ignore] pam_unix.so nullok_secure”
auth required pam_google_authenticator.so
Restart the SSH service and test the codes in a new terminal before rebooting.
TIP: Do not exit the working connected session and you may need it to fix issues.
Restart the SSH service a tets it
If you have failed to set it up authenticator codes will fail to work.
Failed attempts
When it is configured OK (at login SSH connection) I was prompted for further information
I am now prompted at login to insert a 2FA token (after inserting my YubiKey)
Turn on 2FA on other sites
Check out https://www.turnon2fa.com and tutorials here.
I hope this guide helps someone.
Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.
https://www.upcloud.com/register/?promo=D84793
Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]
Revision History
V1.4 June 2019: Works on Debian 9.9
V1.3 turnon2fa.com
V1.2 ssh auth bypass
v1.1 Authenticator apps
v1.0 Initial Post