Enabling 2FA on SSH Using Google Authenticator for Ubuntu 22.04.4 LTS

Posted on Updated on

I’m not going to mess you around here, this was oddly painful with conflicting information and given I know nothing about the implementation details of SSH, quite irritating:

Follow these steps to enable two-factor authentication (2FA) over SSH using a public key and Google Authenticator on Ubuntu 22.04.4 LTS:

  1. Update your package lists
sudo apt-get update

2. Install the Google Authenticator package:

sudo apt-get install libpam-google-authenticator

3. Set up Google Authenticator:

google-authenticator

4. Answer the prompts as follows:

  • Do you want authentication tokens to be time-based (y/n)? y
  • Do you want me to update your “~/.google_authenticator” file (y/n)? y
  • Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n). y
  • By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)? n
  • If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. Do you want to enable rate-limiting (y/n)? y
  • Scan the QR code into your authenticator app.

5. Edit the PAM SSHD configuration:

sudo nano /etc/pam.d/sshd
  • Add these lines at the bottom of the file
  • auth required pam_google_authenticator.so nullok
    auth required pam_permit.so
  • nullok allows users to log in without 2FA until they configure their OATH-TOTP token. Remove this option once all users are set up.

Configure SSH for challenge-response authentication:

sudo nano /etc/ssh/sshd_config
  • Set ChallengeResponseAuthentication to yes. Update if present, uncomment, or add this line.

Restart the SSH service to apply changes:

sudo systemctl restart sshd.service
  • If this step causes issues, debug with:bash
  • sudo sshd -t -f /etc/ssh/sshd_config

Test your configuration in a separate terminal window. If you already use a public key, there should be no noticeable change.

Update SSHD to require 2FA:

sudo nano /etc/ssh/sshd_config
  • Add or update the following line to require public key and either password or keyboard-interactive authentication:r
AuthenticationMethods publickey,password publickey,keyboard-interactive

Enable keyboard-interactive authentication:

KbdInteractiveAuthentication yes <– This is for 22.04 LTS

ChallengeResponseAuthentication yes <– This is for older versions of Linux

Further secure PAM by editing its SSHD file:

sudo nano /etc/pam.d/sshd
  • Comment out this line to prevent fallback to password authentication.
    #@include common-auth

Restart the SSH service once more to finalize all settings:

sudo systemctl restart sshd.service

These steps will enable you to securely access your server using two-factor authentication while maintaining the flexibility of public key authentication.