Aug 15, 2013
HeartedHeart
1
11

How To Install Authy And Configure Two-Factor Authentication For SSH

Introduction


Using two-factor authentication, makes your VPS more secure by not just requiring a password or SSH key, but also a time-sensitive token generated by your phone.

This means that even if your password is compromised or you accidentally divulge your private key, your cloud server will remain secure.

Authy provides a straightforward platform for setting this up, which is compatible not only with popular apps like Google and Dropbox, but also your very own VPS.

It's super simple to set up, and although it is a commercial service, for personal and development use, you can have up to 1000 logins per month for free.

You'll need:

  • A DigitalOcean cloud server, ready to SSH into

  • An iOS or Android mobile device

Getting started


Set up Authy on your phone

Download the Authy app for your iOS or Android device.

Open the app, and follow the simple steps, including verifying your phone number. Your phone is now a secure token.

Set up a developer account

You'll need to register again, this time as a developer, so that you can link your VPS to your phone's Authy app.

To do this, head to the signup page here and enter your email address, country, phone number and a password - make sure you use the same mobile number as you entered before.

Signing up

Once you receive an email from Authy, click the link in it and you'll be asked to log in. Your phone will automatically have been configured as the token for accessing your account - open the "Authy" app, and you'll have your password for logging in.

Authy code on iOS

Create an API Application

Once you're into your dashboard, click "Create new application", enter a friendly name for your cloud server and click "Create".

Creating an API application

After a few seconds, you'll be taken through to your app. Hover over the padlock where it says API key, and copy the key to somewhere safe. You'll need it again in a moment.

API key

Install authy-ssh

First of all, SSH into your VPS:

ssh root@your.hostname.tld

Download the installer, then run it, installing the executables in /usr/local/bin:

curl "https://raw.github.com/authy/authy-ssh/master/authy-ssh" -o authy-ssh-installer

sudo bash authy-ssh-installer install /usr/local/bin

At the prompt, enter the API key you received earlier from the Authy website. You'll be asked to choose what to do if Authy is down - I'd recommend option 1, in case the service were to shut down suddenly.

Configure Two-Factor Authentication for Your User

Simply run the following command, replacing:

  • "whoami" with another username if you'd like to configure for a user other than the one you're logged in as email and number with the email and mobile number on your Authy account
  • country with the country code from your phone number (for instance "+44" for the UK, or "+1" for the US and Canada)
sudo /usr/local/bin/authy-ssh enable <whoami> email country number

It'll ask you confirm. Hit "y", and then everything is ready to go.

Try It Out

Restart your SSH server so the changes take effect.

Ubuntu: sudo service ssh restart
Debian: sudo /etc/init.d/sshd restart
CentOS: sudo service sshd restart

Try to SSH back in, and you'll be asked for your Authy Token. Open the app, switch to the "Authy" and enter the code. You are now logged in.

Changed Your Mind?


It's imperative that you're careful when uninstalling authy-ssh, or you could lose access to your VPS. It'll take just two commands:

Run the installer script from before, but in uninstall mode:

chmod +x authy-ssh-installer
./authy-ssh-installer uninstall

Restart your SSH server, as above:

Ubuntu: sudo service ssh restart
Debian: sudo /etc/init.d/sshd restart
CentOS: sudo service sshd restart

Tags: Security Distribution: Ubuntu