How to setup SSH Two Factor Authentication?
SSH hardening is a better way to prevent unauthorized access to your server, now a day security is a major concern for Server owners. There are so many Brute forcing attempts per minute to your server via SSH. So, securing the server is a must and good way to prevent hacking attempts via backend. There are many ways to secure SSH access to your servers, one of them is Two-Factor Authentication. Here, whenever you try to access your server, there will be an extra prompt for Google Authenticator verification code, you need to type this correctly for secure access to the server via SSH.
The Google Authenticator will give an extra layer of protection by generating TOTP (Time based One Time Passwords) on your smartphone which you need to enter while login to the server via SSH. In this tutorial, I’m discussing the steps to enable Two-Factor Authentication for SSH access. Let’s begin the steps:
Before proceeding with the process, let’s update system to the latest by running below command:
# yum -y update
The next step would be installing the pam-devel package on your server to set authentication policies without recompiling other packages that handle authentications.
# yum -y install pam-devel
Also, make sure to install NTPD service because of TOTP security tokens are time sensitive and make it run at the time of booting:
# yum -y install ntp
# service ntpd start
# chkconfig ntpd on
The next step would be installing Google Authenticator on the server from EPEL repository. Running below command will help you with this task:
# yum -y install google-authenticator
Once the Google Authenticator installed, run below command to configure this on your server and answer each question:
Let’s have a look at the questions while configuring Google Authenticator, note that type y for Yes and n for NO.
Do you want authentication tokens to be time-based (y/n) y
This will generate QRcode, Secret key (Save it in a safe place), Emergency scratch codes, etc.
Do you want me to update your “/root/.google_authenticator” file (y/n) y
The Yes means the above-generated codes will store to /root/.google_authenticator file.
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
Here Yes means you are preventing replay attacks by making each code will auto expire after the use.
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
Here No means, limit the verification code to 3 in a 1:30 minute rolling window. The No answer is the most secure in this choice.
If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
This means an attacker can only attempt few of guesses before getting blocked by server firewall.
The generated QR code on above first question needs to be scan on Google Authenticator software on your Smartphone. A new verification code will generate randomly at every 30 seconds.
The next steps should be enabling Google Authentication for SSH logins, for that edit PAM configuration file at “/etc/pam.d/sshd” and add the below entry and save.
auth required pam_google_authenticator.so
Once it is done, open SSHD configuration file and make the below changes:
Once it is done, restart the SSHD service by below command:
# service sshd restart
From now on, there will be an extra prompt for Verification code while login via SSH, here enter the verification code generated by the Google Authentication software on your smartphone to access server.
@sh:~$ ssh -l root xxx.xx.xx.xx
If you need any further help please do reach our support department