LOGO

Secure SSH with Google Authenticator Two-Factor Authentication

August 14, 2012
Topics:Linux & macOS TerminalLinuxOpen Source
Secure SSH with Google Authenticator Two-Factor Authentication

Enhancing SSH Security with Two-Factor Authentication

Are you looking to bolster the security of your SSH server with a straightforward two-factor authentication method? Google offers the tools required to seamlessly integrate Google Authenticator’s time-based one-time password (TOTP) system directly into your SSH server environment.

This integration necessitates the input of a code generated on your smartphone each time a connection is established.

How Google Authenticator Works

It's important to understand that Google Authenticator does not transmit any data back to Google. All processing is performed locally on your SSH server and on your mobile device.

Furthermore, the Google Authenticator application is entirely open-source. This allows for complete transparency, enabling anyone to review and audit its underlying code.

Benefits of Using Google Authenticator for SSH

  • Increased Security: Adds an extra layer of protection beyond passwords.
  • Privacy Focused: Operates without relying on a central server or data transmission to Google.
  • Transparency: The open-source nature allows for independent verification of its security.

By implementing Google Authenticator, you significantly reduce the risk of unauthorized access to your SSH server.

Setting Up Google Authenticator

Implementing two-factor authentication using Google Authenticator requires the Google Authenticator PAM module, which is an open-source tool. PAM, or “pluggable authentication module,” provides a flexible method for integrating various authentication methods into a Linux environment.

The Google Authenticator PAM module is conveniently available as a package within Ubuntu’s software repositories. Should your Linux distribution lack a dedicated package, manual download and compilation from the Google Authenticator downloads page on Google Code will be necessary.

Installation on Ubuntu is achieved with this command:

sudo apt-get install libpam-google-authenticator

This command installs the PAM module; however, activation for SSH logins requires manual configuration.

The module will be installed on your system, but further steps are needed to enable it for SSH access.

how-to-secure-ssh-with-google-authenticators-two-factor-authentication-1.jpg

Generating an Authentication Key

To begin, log in to the system as the user account that will be accessed remotely. Then, execute the google-authenticator command to generate a unique secret key specifically for that user.

Confirm the update to your Google Authenticator configuration file by entering 'y' when prompted. The system will then ask a series of questions designed to refine the security parameters.

how-to-secure-ssh-with-google-authenticators-two-factor-authentication-2.jpg

These questions allow you to limit the reuse of temporary security tokens, extend the validity window for tokens, and restrict the number of login attempts. Consider these options carefully, as they represent a balance between security and usability.

The Google Authenticator tool will display a secret key alongside a set of “emergency scratch codes.” It is crucial to record these scratch codes in a secure location. Each code is single-use and serves as a recovery mechanism if your phone is lost or inaccessible.

how-to-secure-ssh-with-google-authenticators-two-factor-authentication-3.jpg

Input the provided secret key into the Google Authenticator application on your smartphone. Applications are available for Android, iOS, and Blackberry platforms. Alternatively, utilize the scan barcode feature.

Access the URL provided in the command output to scan a QR code with your phone’s camera, streamlining the key entry process.

how-to-secure-ssh-with-google-authenticators-two-factor-authentication-4.jpg

A constantly updating verification code will now be displayed within the Google Authenticator app on your phone.

how-to-secure-ssh-with-google-authenticators-two-factor-authentication-5.jpg

Should remote access be required for multiple user accounts, repeat this process for each individual user. Each user will receive a distinct secret key and corresponding verification codes.

Enabling Google Authenticator for SSH Access

The subsequent step involves mandating Google Authenticator for secure shell (SSH) logins. This enhancement significantly bolsters your server's security. Begin by accessing the /etc/pam.d/sshd file on your server.

You can utilize a text editor like nano with root privileges, for instance, using the command sudo nano /etc/pam.d/sshd. Add the following line to this file:

auth required pam_google_authenticator.so

Configuring SSH Daemon

Following this, the /etc/ssh/sshd_config file needs modification. Locate the line designated as ChallengeResponseAuthentication.

Alter its value to read:

ChallengeResponseAuthentication yes

Should this line be absent from the configuration file, simply append it to the file.

To implement these changes, a restart of the SSH service is necessary. This can be achieved with the following command:

sudo service ssh restart

how-to-secure-ssh-with-google-authenticators-two-factor-authentication-6.jpg

After the restart, any subsequent SSH login attempts will require both your standard password and a valid code generated by your Google Authenticator application. This dual-factor authentication provides a robust layer of protection.

how-to-secure-ssh-with-google-authenticators-two-factor-authentication-7.jpg

Stronger security is now in place for your server access.

#SSH#security#Google Authenticator#two-factor authentication#2FA#server security