Technology

Detailed Guide on how to Set Up SSH 2FA on Ubuntu Server 22.04

Server

The possibility that someone could break into your Linux servers and do bad things is high when you open the server up for SSH login.

But you can avoid such by enabling two-factor authentication on the server. Once this is enabled, just those with rightly generated 2FA codes (alongside their regular details) will be granted access.

Allow me to put you through how you set up SSH 2FA on your Ubuntu Server.

Requirements

The things you’ll be needing to make this successful are:

  • A running instance of Ubuntu Server 22.04 and,
  • A user with sudo benefits.

How to add the important software

Firstly, install a single package – Google Authenticator. It is a command-line tool that enables adding 2FA authentication on your server.

Log into your Ubuntu instance and give the command:

sudo apt-get install libpam-google-authenticator -y

To make a secret key, you will then need to start the command. That command is

google-authenticator

You’ll be questioned on whether you want authentication tokens to be time-based — you want that. Type y and press Enter on your keyboard. After that, you’d be given a QR code that can be scanned by your 2FA application.

The downside to this is that you may not be able to view the whole code if you’re logged right into the terminal of the physical machine in question.

Logging in via SSH is your top choice, that way, you can resize the terminal to see the whole QR code (Fig. I).

Fig. I

A blurred-out QR code generated by the google-authenticator app.[/caption]

Scan the QR code with your 2FA app (like Authy) or enter the secret key if the code is too robust for the app to scan and press enter. Then, you’ll be directed to type the code from the app so the account can be verified. You will see the emergency codes for 2FA immediately it has been verified. Ensure to copy and save them secured in a place such as a password manager and then when prompted to update the ~/.google_authenticator file, type y.

After that, you’ll be prompted to cancel numerous uses of alike authentication token. To accept this, go on and type y, as it can assist in blocking man-in-the-middle attacks. When prompted, type y for the final question to give up to a 30-second time-skew amidst the authentication server and client.

When prompted by typing y, you’ll also want to approve rate-limiting, which restricts attackers to at most three login trials every 30 seconds.

How to configure the SSH daemon for 2FA

We also have to configure the SSH daemon to make use of it now that 2FA is installed and configured. Open the SSH daemon configuration file with:

sudo nano /etc/ssh/sshd_config

To start with, find the following line and see to it that it is to yes:

UsePAM yes

Secondly, find the following line and edit ‘no’ to ‘yes’:

KbdInteractiveAuthentication no

Save and close the file.

Next is to open the PAM configuration file with:

sudo nano /etc/pam.d/sshd

Add the following line below the line @include common-auth:

auth   required   pam_google_authenticator.so

Save and close the file.

Restart the SSH daemon with:

sudo systemctl restart sshd

Open a new terminal window and try logging into the remote machine. At first, you’ll be prompt for your user password, and after, prompt for the 2FA code. You should have access to the server to effectively type the 2FA code.

How to enable 2FA with SSH Key Authentication

There is an additional process you ought to take if using SSH Key Authentication.

Open the SSH daemon config file on the server with:

sudo nano /etc/ssh/sshd_config

Add the following line under that file:

AuthenticationMethods publickey,keyboard-interactive

Save and close the file.

Restart SSH with:

sudo systemctl restart sshd

After you’ve confirmed SSH Key Authentication works, you can disable password authentication by opening the SSH configuration with:

sudo nano /etc/ssh/sshd_config

Find the following line:

PasswordAuthentication yes

Change it to:

PasswordAuthentication no

Restart SSH with:

sudo systemctl restart sshd

Enjoy your effort as you have successfully configured Ubuntu Server 22.04 for a much more safe SSH login process.

As you do this, ensure that you’re testing via a second terminal window, so you can stay logged into the original should anything fail… you can also reset the configurations).

To Top

Pin It on Pinterest

Share This