Implementing Two-Factor Authentication (2FA) with SSH

Posted on by Lee Painter

Two-factor authentication (2FA) is an essential security measure that significantly enhances the protection of SSH (Secure Shell) access. By requiring an additional verification step beyond just a password or key, 2FA mitigates the risk of unauthorized access even if a password or private key is compromised. This article provides a comprehensive guide on implementing 2FA with SSH, covering various methods and tools to achieve this extra layer of security.

1. Understanding Two-Factor Authentication (2FA)

2FA requires two verification forms: something you know (password) and something you have (a physical device or token). This dual-layer verification makes it exponentially harder for attackers to gain unauthorized access.

2. Prerequisites for Implementing 2FA with SSH

Before setting up 2FA, ensure the following:

  • You have root or sudo access to the server.
  • OpenSSH is installed and properly configured on the server.
  • A mobile device or hardware token to use as the second factor.

3. Setting Up Google Authenticator for 2FA

Google Authenticator is a widely-used app for implementing TOTP (Time-Based One-Time Password) 2FA. Here’s how to set it up:

  1. Install Google Authenticator on the Server:
   sudo apt-get update
   sudo apt-get install libpam-google-authenticator
  1. Configure Google Authenticator for Your User:
    Run the following command and follow the prompts to set up Google Authenticator:
   google-authenticator
  • Answer “yes” to time-based tokens.
  • Scan the QR code with your Google Authenticator app.
  • Save the emergency scratch codes.
  • Answer “yes” to updating your ~/.google_authenticator file.
  • Choose “no” to disallow multiple uses of the same token.
  • Set the rate-limiting options according to your preference.
  1. Update PAM Configuration:
    Edit the PAM SSH configuration file to include Google Authenticator:
   sudo nano /etc/pam.d/sshd

Add the following line at the top:

   auth required pam_google_authenticator.so
  1. Update SSH Configuration:
    Edit the SSH daemon configuration file to enable challenge-response authentication:
   sudo nano /etc/ssh/sshd_config

Ensure the following lines are present:

   ChallengeResponseAuthentication yes

Note: Ensure that PasswordAuthentication is set to “yes” if you are combining passwords with 2FA.

  1. Restart SSH Service:
   sudo systemctl restart ssh
  1. Testing the Configuration:
    Attempt to SSH into the server. After entering your password, you will be prompted for a verification code from your Google Authenticator app.

4. Implementing YubiKey for 2FA

YubiKey is a hardware token that provides an additional layer of security for SSH access.

  1. Install YubiKey PAM Module:
   sudo apt-get install libpam-yubico
  1. Get Your YubiKey Client ID and Secret Key:
    Register your YubiKey at Yubico’s website to get your Client ID and Secret Key.
  2. Update PAM Configuration:
    Edit the PAM SSH configuration file to include YubiKey authentication:
   sudo nano /etc/pam.d/sshd

Add the following line:

   auth required pam_yubico.so id=<your-client-id> key=<your-secret-key>
  1. Update SSH Configuration:
    Edit the SSH daemon configuration file to enable challenge-response authentication:
   sudo nano /etc/ssh/sshd_config

Ensure the following lines are present:

   ChallengeResponseAuthentication yes
  1. Restart SSH Service:
   sudo systemctl restart ssh
  1. Testing the Configuration:
    Attempt to SSH into the server. After entering your password, you will be prompted to touch your YubiKey for verification.

5. Implementing Duo Security for 2FA

Duo Security provides an integrated and comprehensive 2FA solution.

  1. Sign Up for Duo Security:
    Create an account at Duo Security’s website.
  2. Install Duo Unix on the Server:
    Follow the installation instructions provided by Duo:
   wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
   tar zxf duo_unix-latest.tar.gz
   cd duo_unix-<version>
   ./configure --with-pam --prefix=/usr && make && sudo make install
  1. Configure Duo Security:
    Edit the Duo configuration file:
   sudo nano /etc/duo/pam_duo.conf

Add your integration key, secret key, and API hostname.

  1. Update PAM Configuration:
    Edit the PAM SSH configuration file:
   sudo nano /etc/pam.d/sshd

Add the following line:

   auth required pam_duo.so
  1. Update SSH Configuration:
    Edit the SSH daemon configuration file:
   sudo nano /etc/ssh/sshd_config

Ensure the following lines are present:

   ChallengeResponseAuthentication yes
  1. Restart SSH Service:
   sudo systemctl restart ssh
  1. Testing the Configuration:
    Attempt to SSH into the server. After entering your password, you will receive a push notification on your Duo-enrolled device for verification.

Conclusion

Implementing 2FA with SSH significantly enhances security by adding an extra layer of verification. Whether using Google Authenticator, YubiKey, or Duo Security, each method provides a robust solution to protect your SSH access. By following these steps, you can safeguard your systems against unauthorized access and ensure a higher level of security for your remote connections.