Tutorial

How To Protect SSH With Two-Factor Authentication

Published on April 29, 2013
Default avatar

By Tim Kornhuber

How To Protect SSH With Two-Factor Authentication

Status: Deprecated

This article is deprecated and no longer maintained.

Reason

This article duplicates more recent, accurate content.

See Instead

This article may still be useful as a reference, but may not work or follow best practices.

Please see How To Set Up Multi-Factor Authentication for SSH on Ubuntu 16.04 instead.

Introduction

To protect your SSH server with an two-factor authentication, you can use the Google Authenticator PAM module.

Every time you connect you have to enter the code from your smartphone.

Attention: If you activate the google-authenticator for a normal user but not for root you can’t login with the root user directly anymore. You will need to login as the new user first, then switch to the super user with the su command to get root.

Before you do anything on your VPS, install the Google Authenticator application, it is available for Android, iOS and BlackBerry. Install the App using the market or use your mobile browser to go to m.google.com/authenticator. After this connect to your VPS and switch to the root user.

Step One - Install Dependencies

sudo apt-get install libpam-google-authenticator

libqrencode3 will be installed automatically and will allow you to use the camera of your phone to scan the qr-code directly from the console.

Step Two - Edit the Configuration Files

To use the module you have to edit two configuration files.

nano /etc/pam.d/sshd

Add the following line on top of the file:

auth required pam_google_authenticator.so

One more file to edit:

nano /etc/ssh/sshd_config

Find and change the following line:

ChallengeResponseAuthentication yes

Step Three - Activate the Two-Factor Authentication For a User

You can activate the google-authenticator for the root user or any other user. Switch to the user who should use the two-factor authentication and type in:

google-authenticator

You will be prompted to answer a few questions; answer the first two questions with yes (y):

Do you want authentication tokens to be time-based (y/n) y
Do you want me to update your "/home/USERNAME/.google_authenticator" file (y/n) y

You can answer the next questions according to your needs.

You can use the Google Authenticator app to scan the qr-code, or add the account using the secret key and the verification code. Do not forget to print out the emergency scratch codes and store them in a safe place!

Now switch back to root and restart the SSH server. If you added the two-factor authentication for the root user you can skip the next step.

su root 

Finally restart the SSH server.

/etc/init.d/ssh restart

That’s it! You should now have a SSH server with an two-factor authentication!

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about us


About the authors
Default avatar
Tim Kornhuber

author

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
10 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

It should be noted that when doing something like this, you should always keep the terminal/SSH client in which you originally executed these commands open, until you successfully authenticate (on a NEW terminal) with the new method. That way you’re still “in” if the new setup fails.

I had the issue with the access denied messages. I found I had to run

```instead of the **sudo /etc/init.d/ssh restart** command.


Also, if 
```auth required pam_google_authenticator.so
```is at the top of **/etc/pam.d/sshd** then you type in the Google Authenticator code BEFORE the password.  If
```auth required pam_google_authenticator.so
```is at the bottom of **/etc/pam.d/sshd** then you type in the Google Authenticator code AFTER the password.  I think I prefer the latter!

Having followed the above instructions I could not open new ssh sessions on my ubuntu 14.04 server; the normal password request was shown but no chance to give a token, and the login failed with the correct address.

However, as per http://ubuntuhandbook.org/index.php/2013/08/install-setup-google-authenticator-in-ubuntu-13-04-12-04/ I moved the

auth required pam_google_authenticator.so

line to the end of /etc/pam.d/sshd and it works.

Well this does… nothing. I can just login like before…

This comment has been deleted

    Hi.

    I am wondering if anybody can help me out.

    1. I’d like to generate the QR code on a web page, instead of through CLI (you’d have to consider the width/height of your SSH windows beforehand), how can I do this?

    2. when I did a two-factor authentication with GMail, Microsoft or LogMeIn, the code generated would show the company name above and my email address below the six digit code…how can I do this?

    Sorry, I know this is not a support forum, but I’ve been wrecking my brain about these two obstacles.

    Any pointer is greatly appreciated!

    Ok, it works but with some notes.

    1. As mentioned in comments, you should add the line ‘auth required pam_google_authenticator.so’ to the END of /etc/pam.d/sshd.
    2. If you use SFTP, for example in Filezilla you have to change the Auth method to ‘Interactive’.

    If you want to use Google Auth + SSH Keys, see this link: https://wiki.archlinux.org/index.php/SSH_keys#Two-factor_authentication_and_public_keys

    Short version: Add ‘AuthenticationMethods publickey,keyboard-interactive:pam’ right after ‘ChallengeResponseAuthentication yes’ in /etc/ssh/sshd_config

    I’m now unable to sign in to users wich does’t have the google authenticator enabled.

    Any solutions?

    Hi,

    In case of emergency, how to disable the Two factor Authentication?

    Try DigitalOcean for free

    Click below to sign up and get $200 of credit to try our products over 60 days!

    Sign up

    Join the Tech Talk
    Success! Thank you! Please check your email for further details.

    Please complete your information!

    Get our biweekly newsletter

    Sign up for Infrastructure as a Newsletter.

    Hollie's Hub for Good

    Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

    Become a contributor

    Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

    Welcome to the developer cloud

    DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

    Learn more
    DigitalOcean Cloud Control Panel