August 15, 2013

Beginner

How To Install Authy And Configure Two-Factor Authentication For SSH

Tagged In: Miscellaneous, Security

Introduction


Using two-factor authentication, makes your VPS more secure by not just requiring a password or SSH key, but also a time-sensitive token generated by your phone.

This means that even if your password is compromised or you accidentally divulge your private key, your cloud server will remain secure.

Authy provides a straightforward platform for setting this up, which is compatible not only with popular apps like Google and Dropbox, but also your very own VPS.

It's super simple to set up, and although it is a commercial service, for personal and development use, you can have up to 1000 logins per month for free.

You'll need:

  • A DigitalOcean cloud server, ready to SSH into

  • An iOS or Android mobile device

Getting started


Set up Authy on your phone

Download the Authy app for your iOS or Android device.

Open the app, and follow the simple steps, including verifying your phone number. Your phone is now a secure token.

Set up a developer account

You'll need to register again, this time as a developer, so that you can link your VPS to your phone's Authy app.

To do this, head to the signup page here and enter your email address, country, phone number and a password - make sure you use the same mobile number as you entered before.

Signing up

Once you receive an email from Authy, click the link in it and you'll be asked to log in. Your phone will automatically have been configured as the token for accessing your account - open the "Authy" app, and you'll have your password for logging in.

Authy code on iOS

Create an API Application

Once you're into your dashboard, click "Create new application", enter a friendly name for your cloud server and click "Create".

Creating an API application

After a few seconds, you'll be taken through to your app. Hover over the padlock where it says API key, and copy the key to somewhere safe. You'll need it again in a moment.

API key

Install authy-ssh

First of all, SSH into your VPS:

ssh [email protected]

Download the installer, then run it, installing the executables in /usr/local/bin:

curl "https://raw.github.com/authy/authy-ssh/master/authy-ssh" -o authy-ssh-installer

sudo bash authy-ssh-installer install /usr/local/bin

At the prompt, enter the API key you received earlier from the Authy website. You'll be asked to choose what to do if Authy is down - I'd recommend option 1, in case the service were to shut down suddenly.

Configure Two-Factor Authentication for Your User

Simply run the following command, replacing:

  • "whoami" with another username if you'd like to configure for a user other than the one you're logged in as email and number with the email and mobile number on your Authy account

  • country with the country code from your phone number (for instance "+44" for the UK, or "+1" for the US and Canada)

sudo /usr/local/bin/authy-ssh enable <whoami> email country number

It'll ask you confirm. Hit "y", and then everything is ready to go.

Try It Out

Restart your SSH server so the changes take effect.

Ubuntu: sudo service ssh restart
Debian: sudo /etc/init.d/sshd restart
CentOS: sudo service sshd restart

Try to SSH back in, and you'll be asked for your Authy Token. Open the app, switch to the "Authy" and enter the code. You are now logged in.

Changed Your Mind?


It's imperative that you're careful when uninstalling authy-ssh, or you could lose access to your VPS. It'll take just two commands:

Run the installer script from before, but in uninstall mode:

chmod +x authy-ssh-installer
./authy-ssh-installer uninstall

Restart your SSH server, as above:

Ubuntu: sudo service ssh restart
Debian: sudo /etc/init.d/sshd restart
CentOS: sudo service sshd restart

Share this Tutorial

Vote on Hacker News

Try this tutorial on an SSD cloud server.

Includes 512MB RAM, 20GB SSD Disk, and 1TB Transfer for $5/mo! Learn more

Create an account or login:

7 Comments

Write Tutorial
  • Gravatar Frank Li about 1 month

    need a solution for the hang when try to use "SCP"

  • Gravatar Kamal Nasser about 1 month

    @Frank: What do you mean? Can you provide more details?

  • Gravatar Dimitri about 1 month

    @Kamal: the question might be (at least it's mine): can installing Authy become a problem when you then have to use SSH access for SFTP, Rsync, you-name-it?

  • Gravatar Dimitri about 1 month

    Apparently, the answer is no as far as SFTP is concerned; whilst able to connect through Transmit (SSH with key) prior to enabling Authy, connection fails after enabling it. Is there a workaround?

  • Gravatar Kamal Nasser about 1 month

    @Dmitri: It should work as far as I know. Most clients support interactive passwords. Try using another client such as FileZilla, does it work?

  • Gravatar Dimitri about 1 month

    @Kamal: Seams that Transmit doesn't support interactive login. FileZilla does, I'll give it a try. Thanks ;) @Franck Li: A solution might stand here: https://github.com/authy/authy-ssh#scp-mosh-and-git-push-with-two-factor-authentication

  • Gravatar rolandjitsu 12 days

    I followed all the steps, I actually tried https://github.com/authy/authy-ssh, but I can still login without the token, it does not require it at all.

Leave a Comment

Create an account or login:
Ajax-loader