UBUNTU LTS SERVER
In this tutorial, we will describe the necessary steps to configure two-factor authentication (2FA) using Google Authenticator (application on our Android mobile device.) on an Ubuntu 16.04 LTS Server Edition. This method adds another layer of protection to our server adding an extra step to the basic login procedure.
1 STEP – INSTALL GOOGLE AUTHENTICATOR
Login to our server via SSH as user root
$: ssh user@IP_Address
Update its repository and install the new packages:
$: sudo apt-get update && apt-get upgrade
Install the Google Authenticator package.
$: sudo apt-get install libpam-google-authenticator
2 STEP – CONFIGURE GOOGLE AUTHENTICATOR
Once the package is installed, run the google-authenticator program to create a key for the user you will be logging with. The program can generate two types of authentication tokens – time-based and one-time tokens. Time-based passwords will change randomly at a certain amount of time, and one-time passwords are valid for a single authentication. In our case, we will use time-based passwords. Run the program to create the keys
We will be asked if we want the authentication to be time-based.
Do you want authentication tokens to be time-based (y/n) y
Big QR code will be generated in our terminal. We can scan the code with the authenticator application on our Android/iOS/Windows phone or tablet or enter the secret key generated on the screen.
Emergency scratch codes will also be generated. We can use these codes for authentication in case We lose our mobile device.
Your emergency scratch codes are: 80463533 68335920 89221348 12489672 11144603
Save the authentication settings for the root user by answering YES to the next questions
Do you want me to update your "/root/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
Now we have the Google Authenticator application configured and the next step is to configure the authentication settings in openSSH.
$: sudo nano /etc/pam.d/sshd auth required pam_google_authenticator.so
Save the changes, and open the “/etc/ssh/sshd_config” file and enable Challenge Response Authentication.
$: sudo nano /etc/ssh/sshd_config ChallengeResponseAuthentication yes
Save the file, and restart the SSH server for the changes to take effect.
$: sudo systemctl restart ssh
Two-factor authentication is now enabled on our server and every time we try to login to our Ubuntu 16.04 LTS Server Edition via SSH we will have to enter our user’s password and the verification code generated by Google Authenticator.
Disclaimer: All the tutorials included on this site are performed in a lab environment to simulate a real world production scenario. As everything is done to provide the most accurate steps to date, we take no responsibility if you implement any of these steps in a production environment.
“We learn from our mistakes”