SSH is the secure shell which is used to access remote Linux systems. By default, when user access your server using SSH, they only type a username and password to log in. We often use it to connect with computers containing important data, it’s recommended to add another security layer.
Here comes the two factor authentication. With two-factor authentication, user have to provides another details with login username and password. This will provide extra layer of security. Follow these steps to configure and use two factor authentication.
To setup two-factor authentication, you need a non-root user with sudo permission. Server also need SSH key and firewall enabled. You also need phone or tablet with TOTP auth app installed like Google Authenticator or Authy.
Installing and configuring Google Authenticator package
After you logged into server, install Google authenticator package with below command.
sudo apt-get update sudo apt-get install libpam-google-authenticator
Now to generate time-based one-time passwords on your device, run the below command.
It will ask few questions. The first question will be:
y and hit the Enter key. This will output the QR code. Scan this code in your TOTP application in phone or tablet.
Open the TOTP app and scan the QR code.
This will add account in Athentication application which will generate random OTP code every 30 seconds.
In the server, it will ask other few questions. Here is the recommended answers for questions.
Configure the SSH to use Google Authenticator
The TOTP auth application will change token every 30 seconds. We will configure SSH to use TOTP auth application. To make SSH use Google Authenticator module, add the below lines in the
Now restart the ssh deamon using below command.
sudo systemctl restart sshd.service
/etc/ssh/sshd_config file and change
That's it! You have configured two-factor authentication for SSH using TOTP auth. Now, every time when you try to log in to your server with SSH, you will be asked for an authentication key in addition to login username and password.