I'm not going to mess you around here, this was oddly painful with conflicting information and given I know nothing about the implementation details of SSH, quite irritating:
Follow these steps to enable two-factor authentication (2FA) over SSH using a public key and Google Authenticator on Ubuntu 22.04.4 LTS:
- Update your package lists
sudo apt-get update
- Install the Google Authenticator package:
sudo apt-get install libpam-google-authenticator
- Set up Google Authenticator:
google-authenticator
-
Answer the prompts as follows:
-
Do you want authentication tokens to be time-based (y/n)? y
-
Do you want me to update your "~/.google_authenticator" file (y/n)? y
-
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n). y
-
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)? n
-
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. Do you want to enable rate-limiting (y/n)? y
-
Scan the QR code into your authenticator app.
-
Edit the PAM SSHD configuration:
sudo nano /etc/pam.d/sshd
-
Add these lines at the bottom of the file
-
auth required pam_google_authenticator.so nullok
auth required pam_permit.so
-
nullok
allows users to log in without 2FA until they configure their OATH-TOTP token. Remove this option once all users are set up.
Configure SSH for challenge-response authentication:
sudo nano /etc/ssh/sshd_config
- Set
ChallengeResponseAuthentication
toyes
. Update if present, uncomment, or add this line.
Restart the SSH service to apply changes:
sudo systemctl restart sshd.service
-
If this step causes issues, debug with:bash
-
sudo sshd -t -f /etc/ssh/sshd_config
Test your configuration in a separate terminal window. If you already use a public key, there should be no noticeable change.
Update SSHD to require 2FA:
sudo nano /etc/ssh/sshd_config
- Add or update the following line to require public key and either password or keyboard-interactive authentication:r
AuthenticationMethods publickey,password publickey,keyboard-interactive
Enable keyboard-interactive authentication:
KbdInteractiveAuthentication yes
<-- This is for 22.04 LTS
ChallengeResponseAuthentication yes
<-- This is for older versions of Linux
Further secure PAM by editing its SSHD file:
sudo nano /etc/pam.d/sshd
- Comment out this line to prevent fallback to password authentication.
#@include common-auth
Restart the SSH service once more to finalize all settings:
sudo systemctl restart sshd.service
These steps will enable you to securely access your server using two-factor authentication while maintaining the flexibility of public key authentication.