How to set up two-factor authentication

From Wiki
Revision as of 23:13, 7 January 2021 by Scott (talk | contribs)
Jump to navigation Jump to search

https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04

OATH-TOTP (Open Authentication Time-Based One-Time Password) is an open protocol that generates a one-time use password, commonly a 6 digit number that is recycled every 30 seconds.

PREREQUISITE: Before setting this up, you need a smartphone or tablet with an OATH-TOTP app installed, like Google Authenticator or Authy.

Install Google's PAM

$ sudo apt install libpam-google-authenticator

For each user that needs 2FA, run 

$ google-authenticator

Answer "y" for yes to say that "you want authentication tokens to be time-based". A QR code will pop up in your terminal. Use the TOTP app on your phone to take a picture of this to add the account. Give reasonable answers to the rest of the questions. You should end up with a hidden .google_authenticator file in your home directory.

Configure SSH

Edit /etc/pam.d/sshd to add this line at the end: 

auth required pam_google_authenticator.so nullok

Edit /etc/ssh/sshd_config. Look for ChallengeResponseAuthentication and set its value to yes: 

. . .
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes
. . .

Restart sshd: 

sudo systemctl restart sshd.service

WARNING: Don't close your existing terminal until you know everything is working!

Public Key OR Password+2FA

Open a new terminal and attempt to log in via SSH. If you've previously created an SSH key and are using it, you'll notice you didn't have to type in your user's password or the MFA verification code. This is because an SSH key overrides all other authentication options by default. Otherwise, you should have gotten a password and verification code prompt.

Public Key + 2FA

If your SSH server doesn't allow passwords (with PasswordAuthentication no and you want to require BOTH public key AND 2FA:

Edit /etc/pam.d/sshd to comment out @include common-auth: 

. . .
# Standard Un*x authentication.
#@include common-auth
. . .

Edit /etc/ssh/sshd_config to add a Match User section for users that need to use 2FA: 

Match User barney
    AuthenticationMethods publickey,keyboard-interactive

Restart sshd: 

sudo systemctl restart sshd.service
Retrieved from "https://wiki.scott5.org/index.php?title=How_to_set_up_two-factor_authentication&oldid=1789"