How to set up two-factor authentication: Difference between revisions
Created page with "https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04 OATH-TOTP (Open Authentication Time-Based One-Time Password..." |
|||
| Line 15: | Line 15: | ||
Answer "y" for yes to say that "you want authentication tokens to be time-based". A QR code will pop up in your terminal. Use the TOTP app on your phone to take a picture of this to add the account. Give reasonable answers to the rest of the questions. You should end up with a hidden <code>.google_authenticator</code> file in your home directory. | Answer "y" for yes to say that "you want authentication tokens to be time-based". A QR code will pop up in your terminal. Use the TOTP app on your phone to take a picture of this to add the account. Give reasonable answers to the rest of the questions. You should end up with a hidden <code>.google_authenticator</code> file in your home directory. | ||
== | == Public Key OR Password+2FA == | ||
Edit <code>/etc/pam.d/sshd</code> to add this line at the end: | Edit <code>/etc/pam.d/sshd</code> to add this line at the end: | ||
<pre> | <pre> | ||
Revision as of 22:44, 30 August 2018
OATH-TOTP (Open Authentication Time-Based One-Time Password) is an open protocol that generates a one-time use password, commonly a 6 digit number that is recycled every 30 seconds.
PREREQUISITE: Before setting this up, you need a smartphone or tablet with an OATH-TOTP app installed, like Google Authenticator or Authy.
Install Google's PAM
$ sudo apt-get install libpam-google-authenticator
For each user that needs 2FA, run
$ google-authenticator
Answer "y" for yes to say that "you want authentication tokens to be time-based". A QR code will pop up in your terminal. Use the TOTP app on your phone to take a picture of this to add the account. Give reasonable answers to the rest of the questions. You should end up with a hidden .google_authenticator file in your home directory.
Public Key OR Password+2FA
Edit /etc/pam.d/sshd to add this line at the end:
auth required pam_google_authenticator.so nullok
Now edit /etc/ssh/sshd_config. Look for ChallengeResponseAuthentication and set its value to yes:
. . . # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes . . .
Restart sshd:
sudo systemctl restart sshd.service
WARNING: Don't close your existing terminal until you know everything is working!
Open a new terminal and attempt to log in via SSH. If you've previously created an SSH key and are using it, you'll notice you didn't have to type in your user's password or the MFA verification code. This is because an SSH key overrides all other authentication options by default. Otherwise, you should have gotten a password and verification code prompt.