Ubuntu – Add Google 2FA for SSH

The Setup

Host: Ubuntu 18.04 “Bionic Beaver” release
Software: Google Chrome

Original article found on linuxbabe

Super handy, and secure way to ssh into your Linux Box at home. This uses the Android Google Authenticator for the QR code, generated right in the SSH window. And you get the added bonus of 6 one-time use codes to use.

To start, SSH into your Unbuntu computer as root.

$ sudo apt install libpam-google-authenticator

Then run the google-authenticator command to create a new secret key in your home directory.

$ google-authenticator

When asked:

Do you want Authentications to be time-based (y/n)

Answer Y!

The QR code should display in the SSH window, ideally you want to scan this into your Google Authenticator. Other sources point out that FreeOTP (developed by RedHat can serve the same purpose)

once scanned into your mobile Google Authenticator, it should show as a new entry.

Configure SSH daemon to use google authenticator

$ sudo nano /etc/ssh/sshd_config

Add in:

UsePAM yes
ChallengeResponseAuthentication yes

Save file

$ sudo systemctl restart ssh
$ sudo nano /etc/pam.d/sshd

Add the lines

@include common-auth
Auth required pam_google_authenticator.so

Save the file!

Now anytime you connect to your SSH terminal to this server, you’ll receive the 2FA push

[ivory-search 404 "The search form 3350 does not exist"]

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.