How to Enable Two-Factor Authentication for SSH Connection

Two Factor Ssh Guide 00 Featured Image

By itself, SSH is a secure way of connecting to a remote machine. However, if you are still keen to add additional security to your SSH connection, you can add two-factor authentication to be prompted to enter a random verification code when you connect via SSH. We previously showed you how to do so on various social networks and show you here how to add two-factor authentication to your SSH connection.

Note: this instruction is based on the Ubuntu server. If you are using another distribution, some of the commands may vary.

Installing Two-Factor Authentication for SSH

Open a terminal session on the machine where you will install the two-factor authentication, Type the following:

sudo apt install ssh libpam-google-authenticator
Two Factor Ssh Guide 06 Installing Programs

To complete the installation, run:

google-authenticator

Tip: learn how to use SSH X-forwarding to run remote apps.

Configuring SSH Two-Factor Authentication

You will be prompted with a series of questions. In most situations, you can type “y” (yes) as the answer. Anytime the settings are wrong, press Ctrl + C, then type google-authenticator again to reset the settings.

  1. The program will ask you if you want authentication tokens to be time-based. For this, press Y then Enter.

After this question, you should see your secret key and emergency code. Record and save the details. You will need the secret key to set up the Google Authenticator app later.

Two Factor Ssh Guide 01 Run Authenticator
Two Factor Ssh Guide 11 Generate Secret Key
  1. The program will ask you if you want to update your “/home/username/.google_authenticator” file. Press Y then Enter.
Two Factor Ssh Guide 07 Update Google Auth Config
  1. When asked if you want to disallow multiple uses of the same authentication token, this will restrict you to only one login every 30 seconds. This can be helpful if you want to make sure that only one active connection can use an authentication token at any given time.
Two Factor Ssh Guide 08 Toggle Auth Token Multiple Uses
  1. By default, authentication tokens are only good for 30 seconds. To compensate for a possible time skew between the client and server, increase the window from its default size of 1-1/2 minutes to about 4. This can be useful in cases where the clock of your local machine or remote server is not properly synchronized.
Two Factor Ssh Guide 09 Extend Time Limit
  1. Enable rate-limiting for the authentication module. This option limits attackers to no more than 3 login attempts every 30 seconds.
Two Factor Ssh Guide 10 Enable Rate Limiting

Configure SSH to Use the Google Authenticator

  1. Open the “/etc/pam.d/sshd” file:
sudo nano /etc/pam.d/sshd
Two Factor Ssh Guide 02 Open Pam Config
  1. Add this line to the top of the file:
auth       required     pam_google_authenticator.so
Two Factor Ssh Guide 03 Update Pam Config
  1. Press Ctrl + O and Ctrl + X to save and exit the file.
  1. Open the “/etc/ssh/sshd_config” file:
sudo nano /etc/ssh/sshd_config
  1. Scroll down to the bottom of the file and type the following line:
ChallengeResponseAuthentication yes
Two Factor Ssh Guide 04 Edit Sshd Config
  1. Save and exit the file.
  1. Restart the ssh server:
sudo systemctl restart ssh
Two Factor Ssh Guide 05 Restart Ssh Daemon

Setting Up a Key in Google Authenticator

  1. Open the Google Authenticator app (or one of its alternatives) on your smartphone (or Desktop). Press the Plus icon on the app’s lower-left corner and select “Enter a setup key.”
Two Factor Ssh Guide 12 Link New Key
  1. Provide a name for your authentication app.
Two Factor Ssh Guide 13 Create New Auth Name
  1. Type the secret key that you generated earlier and press “Add.”
Two Factor Ssh Guide 14 Add New Key

When you connect via SSH to your remote computer, you will see the request for the verification key.

Two Factor Ssh Guide 15 Sample Two Factor Login

Note: two-factor authentication only works for password-based logins. If you are already using a public/private key for your SSH session, it will bypass the two-factor authentication and log you in directly. Also, check out more ways to secure your SSH server.

Frequently Asked Questions

I am using a Yubikey. Can I still use two-factor authentication in SSH?

No. The Google authentication module only works with a standard SSH password login. Similar to setting up a public SSH key, it is not possible to use this particular module with other external two-factor solutions, such as the Yubikey.

Is it possible to use the same authentication key on a different phone?

Yes. You can easily use a different phone with Google Authenticator as long as you either have your secret key or its QR code. However, you need to make sure that you have fully removed your authentication key on the previous device before you import it to a new one, as any bad actor that obtains access to the previous device will be able to bypass your two-factor challenge.

Can you use a different two-factor authentication app with SSH?

Yes. While the developers of the libpam module specifically designed it to work with Google Authenticator, you can still use it with other authentication apps, as the format of a two-factor secret key is often the same across different implementations.

Image credit: Unsplash. All alterations and screenshots by Ramces Red.

Is this post useful?
Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Ramces Red
Ramces Red - Staff Writer

Ramces is a technology writer that lived with computers all his life. A prolific reader and a student of Anthropology, he is an eccentric character that writes articles about Linux and anything *nix.