Add two factor authentication to SSH

SSH connection to server is quite secure, but the security will be challenged by weak passwords users set. These weak passwords can be easily cracked, brute-forced and guessed.

The best way of creating password is to make sure of two things. Your password should be long enough (more than 10 characters) and your password cannot be dictionary attacked.

Lets put the topic of creating password aside, as I am going to introduce you to the two factor authentication. Two factor authentication is a new way of increasing your account security. It requires two different components, one you know (passwords) and other you have (mobile phones and/or other things). One good example of two factor authentication in the real world is bank cards and PIN code. To successfully withdraw money from the ATM, you need your bank card (thing you have) and your PIN number (thing you know).

I will be using debian Jessie as my operating system. The instructions given should work on all debian based distributions such as Ubuntu, Linux Mint and others.

I will lay out setting up two factor authentication to SSH in steps.

1. Install required dependencies

prabin@sys1:~$ su - 
root@sys1:~# apt-get install libpam-google-authenticator

You will have something like this:

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
libqrencode3
The following NEW packages will be installed:
libpam-google-authenticator libqrencode3
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 65.2 kB of archives.
After this operation, 162 kB of additional disk space will be used.
Do you want to continue? [Y/n] 

Press Y to continue installing the packages. An extra package called libqrencode3 is installed along with libpam-google-authenticator. It is because, the package is used to generate Qr Code image later.

The package is successfully installed at this time. But to use it, you must configure it.

2. Edit configuration Files

Note: Before editing system configuration files, it is a good idea to make a backup copy of the file.

Since we are going to setup SSH, the configuration files we modify are SSH server ones. Modify the following file so that PAM authentication is enabled for SSH server.

root@sys1:~# nano /etc/pam.d/sshd

PAM is the pluggable authentication module for Unix like system. It is a mechanism to integrate many low level authentication scheme for use with high level applications. It makes high level applications independent of the low level authentication scheme used.

Add the following line on the top of the file.

auth required pam_google_authenticator.so

Save and exit.

3. Add setting for a user

Login to the user whom you want to enable two factor authentication. and type google-authenticator in the command prompt

Note: Maximize your command prompt. Later in the steps you will see QR Code which will be easier to scan through Google authenticator android application.

root@sys1:~#su prabin 
prabin@sys1:~$ google-authenticator

su manual page says:

The su command is used to become another user during a login session. Invoked without a username, su defaults to becoming the superuser. The optional argument - may be used to provide an environment similar to what the user would expect had the user logged in directly.

You can see manual of any command by typing man <command name> in the command prompt. For example: man ls.

Now let’s come back to our steps. Answer the first question yes by pressing y.

Do you want authentication tokens to be time-based (y/n) y

3.1 Google Authenticator application

You will see QR code image in the terminal. At this point you can move to your Android phone and install Google Authenticator application. It is available in the play store. The link is given below.

Google Authenticator Play Store

Note: you need “Barcode Scanner” Android application to scan QR Code. Google Authenticator depends on the application. The application is found under the following link: Barcode Scanner

Once you have installed both applications, open Google Authenticator. On the menu click “Set up account” -> “Scan a barcode” and point your phone to the displayed QR Code. Your Android application is set up at this point.

If you are not able to scan the code, you can use the secret key displayed just below the image.

Now let’s finish the remaining steps of setting up users. Switch back to your computer You will see the following below the QR Code image:

Your new secret key is: WCMFMIZ4252LPIBX Your verification code is 633134 Your emergency scratch codes are: 34546456 74839862 67555792 50517848 72176395

Take note of all the information. You will need them later, if you cannot log in later.

Press y for the next question.

Do you want me to update your "/home/prabin/.google_authenticator" file (y/n) y

Answer the remaining questions according to your security requirements.

Do you want to disallow multiple uses of the same authentication token?
This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) n

By default, tokens are good for 30 seconds and in order to compensate for 
possible time-skew between the client and the server, we allow an extra 
token before and after the current time. If you experience problems with poor 
time synchronization, you can increase the window from its default 
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn't hardened against brute-force 
login attempts, you can enable rate-limiting for the authentication module. 
By default, this limits attackers to no more than 3 login attempts every 30s. 
Do you want to enable rate-limiting (y/n) y

Now your two factor authentication is set up. Before you restart the ssh server, open a new terminal and login as root user. In case your setup has gone wrong, you can quickly revert to your original stage.

Restart the ssh server (You need root privileges. Exit from the user).

prabin@sys1:~$ exit 
root@sys1:~# service ssh restart

Now try to SSH to the computer through the third terminal. You should be asked for verification code before asking for the password.

That is it. Stay tuned for Setting Up OpenVPN server in my next article.