Whenever you open your Linux servers up for SSH login, there’s at all times an opportunity somebody may break into that server and do dangerous issues. You don’t need that, however how do you stop such a actuality? A method is to allow two-factor authentication on the server. As soon as enabled, solely these with the correctly generated 2FA codes (together with their common credentials) will likely be given entry.
How do you arrange SSH 2FA in your Ubuntu Server? Let me present you.
SEE: 40+ open supply and Linux phrases you should know (TechRepublic Premium)
What you’ll want
The one belongings you’ll have to make this work are:
- A operating occasion of Ubuntu Server 22.04.
- A person with sudo privileges.
That’s it — let’s make some 2FA magic.
How one can set up the mandatory software program
The very first thing to do is set up a single bundle: Google Authenticator. It is a command-line instrument that makes it doable so as to add 2FA authentication in your server.
Log into your Ubuntu occasion and situation the command:
sudo apt-get set up libpam-google-authenticator -y
You’ll then have to run the command to create a secret key. That command is:
google-authenticator
You’ll be requested in order for you authentication tokens to be time-based, which you need. Sort y and hit Enter in your keyboard. You’ll then be offered with a QR code that may be scanned by your 2FA utility.
There’s one gotcha with this: For those who’re logged straight into the terminal of the bodily machine in query, you may not be capable of see the complete code. Your finest guess is to log in through SSH, so you’ll be able to resize the terminal to view the complete QR code (Determine A).
Determine A
Scan the QR code together with your 2FA app (resembling Authy) or sort the key key if the code is just too massive for the app to scan and hit enter. You’ll then be prompted to sort the code from the app so the account could be confirmed. As soon as confirmed, you will note the emergency codes for 2FA. Be sure that to repeat and save them in a secure place resembling a password supervisor after which sort y when prompted to replace the ~/.google_authenticator file. Subsequent, you’ll be prompted to disallow a number of makes use of of the identical authentication token. Go forward and kind y to simply accept this, as it could possibly assist stop man-in-the-middle assaults. When prompted, sort y for the final query to permit as much as a 30-second time-skew between the authentication server and shopper.
Additionally, you will need to allow rate-limiting when prompted by typing y, which limits attackers to not more than three login makes an attempt each 30 seconds.
How one can configure the SSH daemon for 2FA
Now that 2FA is put in and configured, we additionally should configure the SSH daemon to utilize it. Open the SSH daemon configuration file with:
sudo nano /and so forth/ssh/sshd_config
First, find the next line and ensure it’s set to sure:
UsePAM sure
Subsequent, find the next line and alter no to sure:
KbdInteractiveAuthentication no
Save and shut the file.
Word: In Ubuntu releases previous to 22.04, the above line will likely be:
ChallengeResponseAuthentication sure
Subsequent, open the PAM configuration file with:
sudo nano /and so forth/pam.d/sshd
Underneath the road @embody common-auth, add the next line:
auth required pam_google_authenticator.so
Save and shut the file.
Restart the SSH daemon with:
sudo systemctl restart sshd
Subsequent, open a brand new terminal window and try to log into the distant machine. You’ll first be prompted on your person password after which prompted for the 2FA code. Upon efficiently typing the 2FA code, try to be allowed entry to the server.
How one can allow 2FA with SSH Key Authentication
For those who use SSH Key Authentication (and you must), there’s an additional step it’s essential to take. On the server, open the SSH daemon config file with:
sudo nano /and so forth/ssh/sshd_config
On the backside of that file, add the next line:
AuthenticationMethods publickey,keyboard-interactive
Save and shut the file.
Restart SSH with:
sudo systemctl restart sshd
When you’ve verified SSH Key Authentication works, you’ll be able to disable password authentication by opening the SSH configuration with:
sudo nano /and so forth/ssh/sshd_config
Find the next line:
PasswordAuthentication sure
Change that to:
PasswordAuthentication no
Restart SSH with:
sudo systemctl restart sshd
Congratulations, you’ve simply configured Ubuntu Server 22.04 for a way more safe SSH login course of. Simply ensure that as you do that that you just’re testing through a second terminal window, so you’ll be able to stay logged into the unique ought to something go fallacious (and you may reset the configurations). Get pleasure from that additional layer of safety.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the most recent tech recommendation for enterprise execs from Jack Wallen.
