How to set up two-factor authentication: Difference between revisions
No edit summary |
No edit summary |
||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
https:// | https://vrealmatic.com/ubuntu-server/2fa-google-authenticator | ||
OATH-TOTP (Open Authentication Time-Based One-Time Password) is an open protocol that generates a one-time use password, commonly a 6 digit number that is recycled every 30 seconds. | OATH-TOTP (Open Authentication Time-Based One-Time Password) is an open protocol that generates a one-time use password, commonly a 6 digit number that is recycled every 30 seconds. | ||
| Line 7: | Line 7: | ||
== Install Google's PAM == | == Install Google's PAM == | ||
<pre> | <pre> | ||
$ sudo apt | $ sudo apt install libpam-google-authenticator | ||
</pre> | </pre> | ||
For each user that needs 2FA, run | For each user that needs 2FA, run | ||
| Line 20: | Line 20: | ||
auth required pam_google_authenticator.so nullok | auth required pam_google_authenticator.so nullok | ||
</pre> | </pre> | ||
Edit <code>/etc/ssh/sshd_config</code>. Look for <code>ChallengeResponseAuthentication</code> and set its value to <code>yes</code>: | Edit <code>/etc/ssh/sshd_config</code>. Look for <code>ChallengeResponseAuthentication</code> OR <code>KbdInteractiveAuthentication</code> and set its value to <code>yes</code>: | ||
<pre> | <pre> | ||
. . . | . . . | ||
| Line 26: | Line 26: | ||
# some PAM modules and threads) | # some PAM modules and threads) | ||
ChallengeResponseAuthentication yes | ChallengeResponseAuthentication yes | ||
# OR # | |||
KbdInteractiveAuthentication yes | |||
. . . | . . . | ||
</pre> | </pre> | ||
| Line 40: | Line 42: | ||
== Public Key + 2FA == | == Public Key + 2FA == | ||
If your server doesn't allow passwords and you want to require BOTH public key AND 2FA: | If your SSH server doesn't allow passwords (with <code>PasswordAuthentication no</code> and you want to require BOTH public key AND 2FA: | ||
Edit <code>/etc/pam.d/sshd</code> to comment out <code>@include common-auth</code>: | Edit <code>/etc/pam.d/sshd</code> to comment out <code>@include common-auth</code>: | ||
| Line 49: | Line 51: | ||
. . . | . . . | ||
</pre> | </pre> | ||
Edit <code>/etc/ssh/sshd_config</code> to | Edit <code>/etc/ssh/sshd_config</code> to add a <code>Match User</code> section for users that need to use 2FA: | ||
<pre> | <pre> | ||
Match User barney | |||
AuthenticationMethods publickey,keyboard-interactive | |||
AuthenticationMethods publickey,keyboard-interactive | |||
</pre> | </pre> | ||
Restart sshd: | Restart sshd: | ||
Latest revision as of 20:15, 25 October 2024
https://vrealmatic.com/ubuntu-server/2fa-google-authenticator
OATH-TOTP (Open Authentication Time-Based One-Time Password) is an open protocol that generates a one-time use password, commonly a 6 digit number that is recycled every 30 seconds.
PREREQUISITE: Before setting this up, you need a smartphone or tablet with an OATH-TOTP app installed, like Google Authenticator or Authy.
Install Google's PAM
$ sudo apt install libpam-google-authenticator
For each user that needs 2FA, run
$ google-authenticator
Answer "y" for yes to say that "you want authentication tokens to be time-based". A QR code will pop up in your terminal. Use the TOTP app on your phone to take a picture of this to add the account. Give reasonable answers to the rest of the questions. You should end up with a hidden .google_authenticator file in your home directory.
Configure SSH
Edit /etc/pam.d/sshd to add this line at the end:
auth required pam_google_authenticator.so nullok
Edit /etc/ssh/sshd_config. Look for ChallengeResponseAuthentication OR KbdInteractiveAuthentication and set its value to yes:
. . . # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes # OR # KbdInteractiveAuthentication yes . . .
Restart sshd:
sudo systemctl restart sshd.service
WARNING: Don't close your existing terminal until you know everything is working!
Public Key OR Password+2FA
Open a new terminal and attempt to log in via SSH. If you've previously created an SSH key and are using it, you'll notice you didn't have to type in your user's password or the MFA verification code. This is because an SSH key overrides all other authentication options by default. Otherwise, you should have gotten a password and verification code prompt.
Public Key + 2FA
If your SSH server doesn't allow passwords (with PasswordAuthentication no and you want to require BOTH public key AND 2FA:
Edit /etc/pam.d/sshd to comment out @include common-auth:
. . . # Standard Un*x authentication. #@include common-auth . . .
Edit /etc/ssh/sshd_config to add a Match User section for users that need to use 2FA:
Match User barney
AuthenticationMethods publickey,keyboard-interactive
Restart sshd:
sudo systemctl restart sshd.service