A simple way to protect your SSH Server using a two-factor authentication is using Google Authenticator PAM module.
Note that procedure below is applicable for Debian and Ubuntu OS
1. Install Dependencies: – You can login as root or a super user and invoke
$ apt-get install libpam-google-authenticator
root@bastionsg:~# apt-get install libpam-google-authenticator Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libqrencode3 The following NEW packages will be installed: libpam-google-authenticator libqrencode3 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 65.8 kB of archives. After this operation, 216 kB of additional disk space will be used. Do you want to continue? [Y/n] Y Get:1 http://mirror.nus.edu.sg/Debian/ jessie/main libqrencode3 amd64 3.4.3-1 [33.8 kB] Get:2 http://mirror.nus.edu.sg/Debian/ jessie/main libpam-google-authenticator amd64 20130529-2 [32.1 kB] Fetched 65.8 kB in 0s (79.6 kB/s) Selecting previously unselected package libqrencode3:amd64. (Reading database ... 149501 files and directories currently installed.) Preparing to unpack .../libqrencode3_3.4.3-1_amd64.deb ... Unpacking libqrencode3:amd64 (3.4.3-1) ... Selecting previously unselected package libpam-google-authenticator. Preparing to unpack .../libpam-google-authenticator_20130529-2_amd64.deb ... Unpacking libpam-google-authenticator (20130529-2) ... Processing triggers for man-db (126.96.36.199-5) ... Setting up libqrencode3:amd64 (3.4.3-1) ... Setting up libpam-google-authenticator (20130529-2) ... Processing triggers for libc-bin (2.19-18+deb8u4) ...
2. Edit the configuration (sshd and the sshd_config) files
$ nano /etc/pam.d/sshd
Add this line on top of the file:
auth required pam_google_authenticator.so
$ nano /etc/ssh/sshd_config
Find and change the following line:
ACTIVATE the TWO-FACTOR Authentication for a User
Switch to the user who should use the two-factor authentication and type in:
You will be prompted to answer a few questions; Just answer all the questions with yes (y): Or depends on your preferred setup.
burnz@bastionsg:~$ google-authenticator Do you want authentication tokens to be time-based (y/n) y https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/burnz@bastionsg%3Fsecret&8667677JSHKF BAR CODE DISPLAY HERE BAR CODE DISPLAY HERE BAR CODE DISPLAY HERE BAR CODE DISPLAY HERE Do you want me to update your "/home/burnz/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
To use your mobile Google Authenticator Apps simply scan the bar code from the link it creates
Finally restart the SSH server.
burnz@bastionsg:~$ sudo /etc/init.d/ssh restart
Try to remote login to the server via SSH and verify that its working fine.
login as: burnz Using keyboard-interactive authentication. Password: # This is where the default password of the user Using keyboard-interactive authentication. Verification code: # This is where the code from your mobile google authenticator The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have mail. Last login: Wed Apr 27 15:07:37 2016 from 10.2.1.102 burnz@bastionsg:~$ # Shows that you are successfully logged in
Adding the two-factor for sudo
Modify the config file /etc/pam.d/sudo
root@bastionsg:~# nano /etc/pam.d/sudo
and should have:
@include common-auth auth required pam_google_authenticator.so @include common-account @include common-session-noninteractive
Then restart the ssh service
root@bastionsg:~# /etc/init.d/ssh restart [ ok ] Restarting ssh (via systemctl): ssh.service.