Two-factor authentication (2FA) is a login process consisting of a double authentication mechanism. Most known implementations include the classic SMS or email code confirmation for new/unknown browsers and devices.
In this scenario, even if a hacker gets a PayPal or hosting password, he won’t be able to log in without the confirmation code sent to the victim’s phone or email.
Implementing the two-factor authentication is one of the best practices to protect our email, social network accounts, hosting, and more. Unfortunately, our system is not the exception.
This tutorial shows how to implement the two-factor authentication to protect your SSH access using Google Authenticator or Authy-ssh. Google Authenticator allows you to verify a login using the mobile app, while Authy-ssh can be implemented without an app using SMS verification.
Linux Two-factor Authentication Using Google Authenticator
Note: Please, before continuing, make sure you have Google Authenticator installed on your mobile device.
To start, execute the following command to install Google Authenticator (Debian-based Linux distributions):
sudo apt install libpam-google-authenticator -y
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/1-8.png" data-lazy- height="515" src="data:image/svg xml,” width=”1078″>
To install Google Authenticator on Red Hat-based Linux distributions (CentOS, Fedora), run the following command:
sudo dnf install google-authenticator -y
Once installed, run Google Authenticator as shown in the screenshot below.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/2-8.png" data-lazy- height="715" src="data:image/svg xml,” width=”1366″>
As you can see, a QR code shows up. You need to add the new account by clicking on the icon in your mobile Google Authenticator App and select Scan QR code.
Google Authenticator will also provide backup codes you need to print and save in case you lose access to your mobile device.
You will be asked some questions, which are detailed below, and you can accept all default options by selecting Y for all questions:
- After scanning the QR code, the installation process will require permission to edit your home. Press Y to continue to the next question.
- The second question recommends disabling multiple logins using the same verification code. Press Y to continue.
- The third question refers to the expiry timing for each generated code. Again, you can allow time skew, press Y to continue.
- Enable rate-limiting, up to 3 log in attempts every 30s. Press Y to continue.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/3-8.png" data-lazy- height="683" src="data:image/svg xml,” width=”1048″>
Once Google Authenticator is installed, you need to edit the file /etc/pam.d/sshd to add a new authentication module. Use nano or any other editor as shown in the screenshot below to edit the file /etc/pam.d/sshd:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/4-8.png" data-lazy- height="369" src="data:image/svg xml,” width=”929″>
Add the following line to /etc/pam.d/sshd as shown in the image below:
auth required pam_google_authenticator.so nullok
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/5-8.png" data-lazy- height="599" src="data:image/svg xml,” width=”1050″>
Note: Red Hat instructions mention a line containing #auth substack password-auth. If you find this line in your /etc/pam.d./sshd, comment on it.
Save /etc/pam.d./sshd and edit the file /etc/ssh/sshd_config as shown in the example below:
nano /etc/ssh/sshd_config
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/6-5.png" data-lazy- height="402" src="data:image/svg xml,” width=”912″>
Find the line:
#ChallengeResponseAuthentication no
Uncomment on it and replace no with yes:
ChallengeResponseAuthentication yes
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/7-5.png" data-lazy- height="600" src="data:image/svg xml,” width=”1201″>
Exit saving changes and restart the SSH service:
sudo systemctl restart sshd.service
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/8-4.png" data-lazy- height="402" src="data:image/svg xml,” width=”929″>
You can test the two-factor authentication by connecting to your localhost as shown below:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/9-3.png" data-lazy- height="534" src="data:image/svg xml,” width=”912″>
You can find the code in your Google Authentication mobile app. Without this code, no one will be able to access your device through SSH. Note: this code changes after 30 seconds. Therefore, you need to verify it fast.
As you can see, the 2FA process worked successfully. Below you can find the instructions for a different 2FA implementation using SMS instead of a mobile app.
Linux Two-factor Authentication Using Authy-ssh (SMS)
You can also implement the two-factor authentication using Authy (Twilio). For this example, a mobile app will not be required, and the process will be done through SMS verification.
To get started, go to https://www.twilio.com/try-twilio and fill the registration form.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/10-2.png" data-lazy- height="603" src="data:image/svg xml,” width=”1159″>
Write and verify your phone number:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/11-1.png" data-lazy- height="609" src="data:image/svg xml,” width=”995″>
Verify the phone number using the code sent by SMS:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/12-1.png" data-lazy- height="347" src="data:image/svg xml,” width=”747″>
Once registered, go to https://www.twilio.com/console/authy and press the Get Started button:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/linux-two-factor-auth-1.jpg" data-lazy- height="426" src="data:image/svg xml,” width=”1135″>
Click the Verify Phone Number button and follow the steps to confirm your number:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/13-1.png" data-lazy- height="478" src="data:image/svg xml,” width=”1108″>
Verify your number:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/14-1.png" data-lazy- height="347" src="data:image/svg xml,” width=”747″>
Once verified, return to the console by clicking on Return to Console:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/15-1.png" data-lazy- height="284" src="data:image/svg xml,” width=”743″>
Select a name for the API and click on Create Application:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/16-1.png" data-lazy- height="447" src="data:image/svg xml,” width=”1105″>
Fill in the requested information and press Make Request:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/17-1.png" data-lazy- height="473" src="data:image/svg xml,” width=”1077″>
Select SMS Token and press Make Request:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/18-1.png" data-lazy- height="467" src="data:image/svg xml,” width=”1109″>
Go to https://www.twilio.com/console/authy/applications and click on the Application you created in the previous steps:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/19-1.png" data-lazy- height="513" src="data:image/svg xml,” width=”1005″>
Once selected, you will see in the left menu the option Settings. Click on Settings and copy the PRODUCTION API KEY. We will use it in the following steps:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/20-1.png" data-lazy- height="484" src="data:image/svg xml,” width=”876″>
From the console, download authy-ssh running the following command:
git clone https://github.com/authy/authy-ssh
Then, enter the authy-ssh directory:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/21-1.png" data-lazy- height="408" src="data:image/svg xml,” width=”1235″>
Inside the authy-ssh directory run:
sudo bash authy-ssh install /usr/local/bin
You will be asked to paste the PRODUCTION API KEY I requested you to copy, paste, and press ENTER to continue.
When asked about default action when api.authy.com can’t be contacted, select 1. And press ENTER.
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/22-1.png" data-lazy- height="606" src="data:image/svg xml,” width=”1320″>
Note: If you paste a wrong API key, you can edit it in the file /usr/local/bin/authy-ssh.conf as shown in the image below. Replace the content after “api_key=” with your API key:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/23-1.png" data-lazy- height="624" src="data:image/svg xml,” width=”1348″>
Enable authy-ssh by running:
sudo /usr/local/bin/authy-ssh enable `whoami`
Fill the required information and press Y:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/24-1.png" data-lazy- height="474" src="data:image/svg xml,” width=”1354″>
You can test authy-ssh executing:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/25-1.png" data-lazy- height="474" src="data:image/svg xml,” width=”1354″>
As you can see, 2FA is working properly. Restart the SSH service, run:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/26-1.png" data-lazy- height="468" src="data:image/svg xml,” width=”1328″>
You can also test it by connecting through SSH to localhost:
<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/27-1.png" data-lazy- height="624" src="data:image/svg xml,” width=”1348″>
As illustrated, 2FA worked successfully.
Authy offers additional 2FA options, including mobile app verification. You can see all available products at https://authy.com/.
Conclusion:
As you can see, 2FA can be easily implemented by any Linux user level. Both options mentioned in this tutorial can be applied within minutes.
Ssh-authy is an excellent option for users without smartphones who can’t install a mobile app.
The two-step verification implementation can prevent any type of login-based attack, including social engineering attacks, many of which became obsolete with this technology because the victim password isn’t enough to access the victim information.
Other Linux 2FA alternatives include FreeOTP (Red Hat), World Authenticator, and OTP Client, but some of these options only offer double authentication from the same device.
I hope you found this tutorial useful. Keep following Linux Hint for more Linux tips and tutorials.
About the author
<img alt="" data-del="avatar" data-lazy-src="https://kirelos.com/wp-content/uploads/2021/06/echo/linuxinstitute_icono.png" height="112" src="data:image/svg xml,” width=”112″>
Ivan Vanney
Ivan Vanney has over 2 years as writer for LinuxHint, he is co-founder of the freelance services marketplace GIGopen.com where he works as a sysadmin.
