How to setup SSH Two Factor Authentication?

How to setup SSH Two Factor Authentication?

SSH hardening is a better way to prevent unauthorized access to your server, now a day security is a major concern for Server owners. There are so many Brute forcing attempts per minute to your server via SSH. So, securing the server is a must and good way to prevent hacking attempts via backend. There are many ways to secure SSH access to your servers, one of them is Two-Factor Authentication. Here, whenever you try to access your server, there will be an extra prompt for Google Authenticator verification code, you need to type this correctly for secure access to the server via SSH.

The Google Authenticator will give an extra layer of protection by generating TOTP (Time based One Time Passwords) on your smartphone which you need to enter while login to the server via SSH. In this tutorial, I’m discussing the steps to enable Two-Factor Authentication for SSH access. Let’s begin the steps:

Before proceeding with the process, let’s update system to the latest by running below command:

# yum -y update

 

The next step would be installing the pam-devel package on your server to set authentication policies without recompiling other packages that handle authentications.

# yum -y install pam-devel

 

Also, make sure to install NTPD service because of TOTP security tokens are time sensitive and make it run at the time of booting:

# yum -y install ntp

# service ntpd start

# chkconfig ntpd on

 

The next step would be installing Google Authenticator on the server from EPEL repository. Running below command will help you with this task:

# yum -y install google-authenticator

 

Once the Google Authenticator installed, run below command to configure this on your server and answer each question:

# google-authenticator

 

Let’s have a look at the questions while configuring Google Authenticator, note that type y for Yes and n for NO.

Do you want authentication tokens to be time-based (y/n) y

This will generate QRcode, Secret key (Save it in a safe place), Emergency scratch codes, etc.

Do you want me to update your “/root/.google_authenticator” file (y/n) y

The Yes means the above-generated codes will store to /root/.google_authenticator file.

Do you want to disallow multiple uses of the same authentication

token? This restricts you to one login about every 30s, but it increases

your chances to notice or even prevent man-in-the-middle attacks (y/n) y

Here Yes means you are preventing replay attacks by making each code will auto expire after the use.

By default, tokens are good for 30 seconds and in order to compensate for

possible time-skew between the client and the server, we allow an extra

token before and after the current time. If you experience problems with poor

time synchronization, you can increase the window from its default

size of 1:30min to about 4min. Do you want to do so (y/n) n

Here No means, limit the verification code to 3 in a 1:30 minute rolling window. The No answer is the most secure in this choice.

If the computer that you are logging into isn’t hardened against brute-force

login attempts, you can enable rate-limiting for the authentication module.

By default, this limits attackers to no more than 3 login attempts every 30s.

Do you want to enable rate-limiting (y/n) y

This means an attacker can only attempt few of guesses before getting blocked by server firewall.

 

The generated QR code on above first question needs to be scan on Google Authenticator software on your Smartphone. A new verification code will generate randomly at every 30 seconds.

 

The next steps should be enabling Google Authentication for SSH logins, for that edit PAM configuration file at “/etc/pam.d/sshd” and add the below entry and save.

auth       required     pam_google_authenticator.so

 

Once it is done, open SSHD configuration file and make the below changes:

ChallengeResponseAuthentication yes

 

Once it is done, restart the SSHD service by below command:

# service sshd restart

 

From now on, there will be an extra prompt for Verification code while login via SSH, here enter the verification code generated by the Google Authentication software on your smartphone to access server.

@sh:~$ ssh -l root xxx.xx.xx.xx

Password:

Verification code:

 

If you need any further help please do reach our support department

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Configure and Install Varnish on CentOS/Ubuntu.

Configure and Install Varnish on CentOS/Ubuntu. In this tutorial we can check how to Configure...

About Zabbix

About Zabbix Zabbix is an open source network monitoring tool. It works with a centralized...

Apache HTTPD Web Server – Details and Installation

Apache HTTPD Web Server – Details and Installation Apache HTTPD is one of the most used web...

Configure and Install PostgreSQL on CentOS 7 and 8

Configure and Install PostgreSQL on CentOS 7 and 8 Configure and Install PostgreSQL on CentOS 7...

Create and Install Self-Signed SSL Certificate on CentOS and Ubuntu

Create and Install Self-Signed SSL Certificate on CentOS and Ubuntu SSL certificate stands for...