This tutorial will show you how to set up SSH two factor authentication on Ubuntu 18.04/18.10 server using the well-known Google Authenticator. It will greatly increase the security of your OpenSSH server.

How Two Factor Authentication Works

Normally, you only need to enter a password or use SSH key to log in to your Ubuntu server remotely. Two factor authentication (2FA) requires you to enter two pieces of information in order to login. So you will also need to enter a time-based one-time password to log in to your SSH server. This one-time password is computed using the TOTP algorithm, which is an IETF standard. These days many websites and services (Facebook, Google, Twitter, etc) offer 2FA for users to secure their accounts and it’s a good idea to also enable 2FA on your SSH server.

This tutorial will show you how to set up

  • Password authentication with a one-time password
  • Public key authentication with a one-time password

Note: The open-source server software we will use in this article is called libpam-google-authenticator, which is installed from the default Ubuntu repository.  Google the company does not involve in the authentication process in any shape or form. The server software and the mobile app don’t need network access.

Step 1: Install and Configure Google Authenticator on Ubuntu 18.04, 18.10 Server

Log into your Ubuntu server and run the following command to install Google Authenticator from the default Ubuntu package repository.

sudo apt install libpam-google-authenticator

Then run the google-authenticator command to create a new secret key in your home directory.

google-authenticator

When asked “Do you want authentication tokens to be time-based?” Answer y.

Then you will see a QR code that you can scan using a TOTP app on your phone. Google Authenticator is the most well-known TOTP mobile app. Install Google Authenticator app via Google play or Apple app store on your mobile phone and scan the QR code. Note that you need to enlarge the terminal window to scan the full QR code.

The Google Authenticator mobile app isn’t open-source. If you don’t trust Google, you can use FreeOTP, an open-source TOTP mobile app developed by Red Hat.

The QR code represents the secret key, which is only known by your SSH server and your Google Authenticator app. Once the QR code is scanned, you can see a six-digit one-time password on your phone. By default it lasts for 30 seconds. You will need to enter this one-time password later in order to log in to Ubuntu server via SSH.

In the terminal window, you can see the secret key, verification code and emergency scratch code. It’s recommended that you save these information to a safe place for later use.

Then you can enter y to answer all of the remaining questions. This will update you Google Authenticator configuration file, disable multiple uses of the same authentication token, increase the time window and enable rate-limiting to protect against brute-force login attempts.

Step 2: Configure SSH Daemon to Use Google Authenticator

Open SSH server configuration file.

sudo nano /etc/ssh/sshd_config

Find the following two parameters in the file and make sure both of them are set to yes.

UsePAM yes

ChallengeResponseAuthentication yes

PAM stands for pluggable authentication module. It provides an easy way to plug different authentication method into your Linux system. To enable Google Authenticator with SSH, PAM and Challenge-Response authentication must be enabled. Save and close the file. Then restart SSH daemon for the change to take effect.

sudo systemctl restart ssh

Note: To allow the root user to use 2FA, you must first allow root to login via SSH with this configuration PermitRootLogin yes. It can not be PermitRootLogin no or PermitRootLogin prohibit-password.

By default, the challenge response authentication requires you to enter user password to login. Now edit the PAM rule file for SSH daemon.

sudo nano /etc/pam.d/sshd

At the beginning of this file, you can see the following line, which enables password authentication when ChallengeResponseAuthentication is set to yes.

@include common-auth

To also enable one-time password authentication, add the following two lines.

#One-time password authentication via Google Authenticator
auth required pam_google_authenticator.so

Save and close the file. From now on SSH daemon will require you to enter user password and a verification code (the one-time password generate by Google Authenticator).

How to Enable Public Key Authentication and One-time Password Authentication

When it comes to SSH security, it’s recommend that you use public key authentication instead of user password authentication. You can follow the tutorial below to set it up.

Once you have set up public key authentication and followed the above 2 steps, you can combine the public key authentication with one-time password authentication.

Edit the SSH daemon configuration file.

sudo nano /etc/ssh/sshd_config

In the previous step, we enabled challenge-response authentication, now we want to let SSH daemon know that the user must pass both public key authentication and challenge-response authentication. Add the following line at the end of this file.

AuthenticationMethods publickey,keyboard-interactive

Save and close the file. Restart SSH daemon for the change to take effect.

sudo systemctl restart ssh

We also need to edit the SSH PAM configuration file.

sudo nano /etc/pam.d/sshd

Comment out the following line (Add # at the beginning) to disable user password authentication.

@include common-auth

Save and close the file. From now on you need to use SSH key and Google Authenticator verification code to login.

Keep in Mind

  • Each user on your Ubuntu server needs to run google-authenticator command and scan QR code in order to use two-factor authentication. If the user didn’t set up and tries to login, the error message “Permission denied (keyboard-interactive)” will be displayed.
  • Emergency Scratch Code is your backup code. If you lose your phone, you can enter one of five emergency scratch code instead of a one-time password to complete the two-step verification. These codes are for one-time use only.
  • If you want to change the secret key, simply log into your server and run google-authenticator command again to update the ~/.google_authenticator file.
  • Since the one time password is computed using the shared secret key and the current time, so it’s a good idea to enable NTP time synchronization on your Ubuntu server.

How to Disable SSH Two Factor Authentication

Edit the SSH daemon configuration file.

sudo nano /etc/ssh/sshd_config

Find the following line.

AuthenticationMethods publickey,keyboard-interactive

Remove the keyboard-interactive authentication method.

AuthenticationMethods publickey

Save and close the file. Then restart SSH daemon.

sudo systemctl restart ssh

Wrapping Up

I hope this tutorial helped you set up SSH two factor authentication on Ubuntu server 18.04 and 18.10. As always, if you found this post useful, then subscribe to our free newsletter. You can also follow us on Google Twitter or like our Facebook page.

Rate this tutorial

[Total: 14 Average: 4.2]