How To Protect SSH With Two-Factor Authentication

All I did was password my SSH keys, disable non-key signing in and change the port to… Something.

I’ve followed the above steps but when I try to SSH now I am only asked for my password and not for my token. Entering my password gives me access denied and entering my PIN gives me access denied.

Any ideas on how to access my server now? Thanks

Same issue of @cheggers

This tutorial has been updated to use apt-get which should resolves issues with the installation. I would recommend returning the SSH config to the default one by logging in through the HTML5 console.

My issue was done to an error with my /etc/ssh/sshd_config. As suggested by Etel I logged in using the web console made the change and after a /etc/init.d/ssh restart It now works perfectly.

Working great…Thanks for the useful info…Digital ocean rocks…

How does this work on FreeBSD?

How to setup individual 2 factor authentication for each user on the server?

@abishek: Simply follow Step 3 for each user that you want to set up 2FA for.

some how this locked me right out my server:

Access denied Using keyboard-interactive authentication.

@scene4life21: Did you follow Step Two? If so, try rebooting your droplet, does that work?

Well this completely locked me out of my server through ssh… Permission denied, please try again. for both accounts on my server…

Any suggestions?

It should be noted that when doing something like this, you should always keep the terminal/SSH client in which you originally executed these commands open, until you successfully authenticate (on a NEW terminal) with the new method. That way you’re still “in” if the new setup fails.

Hello. I just opened a ticket about this but the staff’s answer was a copy paste from a manual and had nothing to do with my question (report). I did what’s explained here and everything worked great. I can access through putty and I’m correctly asked for the token. Great. Now if I use the “Console Access” button from the control panel, I can ssh into the droplet without being asked for the token. I’m only asked for the username and password. Could someone explain me why? The expected behavior should by as when logging in with putty (username, token, password), not just username and password.

Thanks!

@patricio: That’s because the web console connects directly to your droplet through the hypervisor to one of the ttys, think of it as a keyboard, mouse, and monitor hooked up to your droplet. It doesn’t rely on SSH therefore it doesn’t know of the 2FA setup you have.

Thanks Kamal for your answer. I see you read what I asked and gave me a proper answer. (Please review ticket #208265 an take a look at the answers I received) I’m not an expert or anything like it, so I can’t argue if this is the correct behavior. I hope it’s right. Thank again.

On my Max OSX system, it doesn’t seem to ask me for my SSH key passphrase anymore. I am thinking I might have accidentally let Mac keep the passphrase in it’s “keychain” - although when I open that, I don’t see anything recognizable as the ssh credentials for my droplet.

How can I find out where the passphrase is being stored?

I followed this tutorial exactly to enable 2FA on a user with root privileges (not “root”, though). I login using an SSH key and after enabling 2FA for the account and rebooting my entire server, it never prompts for the 2FA code. It just logs me in as normal using the SSH key. Thoughts?

Thanks.

Oh, never mind, it seems this only prompts for the 2FA code when logging in using the password (i.e., SFTP). When logging in via SSH using an SSH key, I am not prompted for my 2FA code.

Having followed the above instructions I could not open new ssh sessions on my ubuntu 14.04 server; the normal password request was shown but no chance to give a token, and the login failed with the correct address.

However, as per http://ubuntuhandbook.org/index.php/2013/08/install-setup-google-authenticator-in-ubuntu-13-04-12-04/ I moved the

auth required pam_google_authenticator.so

line to the end of /etc/pam.d/sshd and it works.

does 2fa will work for key based login? it doesn’t seem to ask password for that

@avinashsajjan: Try adding RequiredAuthentications2 publickey,keyboard-interactive to /etc/ssh/sshd_config and restarting the ssh server:

sudo service ssh restart

Make sure you keep an SSH window open so you can revert the changes in case you aren’t be able to log in.

Hi, I have a Ubuntu 14.04 x64 server and I followed all your steps. Since I have only one user on my server (I have disabled root login) and I already do an SSH login with that username, I ran the google-authenticator command logged in as user lupocatttivo@octane (lupocatttivo = username, octane = machine name): lupocatttivo@octane:~$ google-authenticator

The only change I made is to the command: /etc/init.d/ssh restart I used sudo service ssh restart instead as the above command did nothing (with or without “sudo” in front of it).

The procedure seemed to run smoothly, including the qr code generation etc. Then I rebooted the server and when asked to login I entered the username “lupocatttivo” and it logged in as usual without asking me any other code or pasword:

login as: lupocatttivo
Authenticating with public key "my-home-pc"
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.15.4-x86_64-linode45 x86_64)

 * Documentation:  https://help.ubuntu.com/

Last login: Thu Aug 14 02:20:31 2014

What am I doing wrong? Any help would be appreciated.

Thanks in advance

@badwolfff: google-authenticator only works for password login by default. Take a look at my comment above – I haven’t tried it myself but as long as you keep an ssh session running while you’re testing it, you should be able to revert the changes if you lock yourself out.

Awesome post. Implemented two step authentication in 5 mins :D DigitalOcean rocks!

How is it possible to set this up and still use SFTP? Apps like Transmit won’t give you a popup to enter the two-factor authentication code

Seriously, Digital Ocean. Any time I look for how to do something with servers in general, you show up. Phenomenal community support, absolutely outstanding.

Hello, I am using Ubuntu 12.04

When i tried following these instructions, I made SSH unreachable. I had to comment out the changes to the 2 configs and restart SSH.

I made a post on askubuntu.com http://askubuntu.com/questions/531013/installing-google-2-step-authentication-causes-ssh-to-not-connect

Any ideas?

Was having trouble with this until I moved the auth required pam_google_authenticator.so line to the end of /etc/pam.d/sshd

Even after restarting ssh it wasn’t working for me until I gave up and power cycled the machine. Now it works, not sure why.

After enabling this option I am unable to SFTP directly to my server, I have set up FTP which obviously still works fine but how do I use SFTP or possibly FTP with two factor authentication?

Does it allow FIDO Security keys for auth? or must the verification come from the google auth app?

Good Day. My droplet is Ubuntu 14.04. I have followed all the steps, but after entering the verification code from google, I am then asked for my SSH password and keep getting “Permission denied, please try again”.

I had the issue with the access denied messages. I found I had to run

```instead of the **sudo /etc/init.d/ssh restart** command.


Also, if 
```auth required pam_google_authenticator.so
```is at the top of **/etc/pam.d/sshd** then you type in the Google Authenticator code BEFORE the password.  If
```auth required pam_google_authenticator.so
```is at the bottom of **/etc/pam.d/sshd** then you type in the Google Authenticator code AFTER the password.  I think I prefer the latter!

Hi,

In case of emergency, how to disable the Two factor Authentication?

I’m now unable to sign in to users wich does’t have the google authenticator enabled.

Any solutions?

If you want to use Google Auth + SSH Keys, see this link: https://wiki.archlinux.org/index.php/SSH_keys#Two-factor_authentication_and_public_keys

Short version: Add ‘AuthenticationMethods publickey,keyboard-interactive:pam’ right after ‘ChallengeResponseAuthentication yes’ in /etc/ssh/sshd_config

Ok, it works but with some notes.

1. As mentioned in comments, you should add the line ‘auth required pam_google_authenticator.so’ to the END of /etc/pam.d/sshd.
2. If you use SFTP, for example in Filezilla you have to change the Auth method to ‘Interactive’.

Hi.

I am wondering if anybody can help me out.

1. I’d like to generate the QR code on a web page, instead of through CLI (you’d have to consider the width/height of your SSH windows beforehand), how can I do this?

2. when I did a two-factor authentication with GMail, Microsoft or LogMeIn, the code generated would show the company name above and my email address below the six digit code…how can I do this?

Sorry, I know this is not a support forum, but I’ve been wrecking my brain about these two obstacles.

Any pointer is greatly appreciated!

Well this does… nothing. I can just login like before…