Enable 2FA
Security Layer 7
Enable Two-Factor Authentication
SSH can also be configured to require a Google Authenticator code, which means that an attacker that somehow compromised your SSH key and its passphrase would still need the device with the authenticator app on it (presumably your phone). This adds an extra layer of security to your system.
Start by installing Google Authenticator (or a compatible equivalent) on your phone if you don't already have it. For Android users, consider andOTP which is an open-source alternative that supports password locking and convenient backups.
Next, install the Google Authenticator module on your node with this command:
Now tell the PAM
(pluggable authentication modules) to use this module. First, open the config file:
Find @include common-auth
(it should be at the top) and comment it out by adding a #
in front of it, so it looks like this:
Next, add these lines to the top of the file:
Then save and exit the file with Ctrl+O
, Enter
, and Ctrl+X
.
Now that PAM
knows to use Google Authenticator, the next step is to tell sshd
to use PAM
. Open the sshd
config file:
Now change the line KbdInteractiveAuthentication no
to KbdInteractiveAuthentication yes
so it looks like this:
(Older versions of SSH call this option ChallengeResponseAuthentication
instead of KbdInteractiveAuthentication
.)
Add the following line to the bottom of the file, which indicates to sshd
that it needs both an SSH key and the Google Authenticator code:
Then save and exit the file with Ctrl+O
, Enter
, and Ctrl+X
.
Now that sshd
is set up, we need to create our 2FA codes. In your terminal, run:
First, it will ask you about time-based tokens. Say y
to this question:
You will now see a big QR code on your screen; scan it with your Google Authenticator app to add it. You will also see your secret and a few backup codes looking like this:
Finally, it will ask you for some more parameters; the recommended defaults are as follows:
Once you're done, restart sshd
so it grabs the new settings:
When you try to SSH into your server with your SSH keys, you should now also be asked for a 2FA verification code, but not for a password.
Last updated