Chances are you administer your Linux machines by way of logging in via SSH. If you do, you should probably have already configured two-factor authentication to help lock down that login. But what if you want to take that one massive step forward by enabling SSH key authentication? The one-two punch of two-factor authentication and key authentication really makes your Linux server a challenging fortress to penetrate.
However, there's one slight problem. You cannot simply configure two-factor authentication as per usual. When using two-factor authentication in conjunction with SSH key authentication, you must take extra measures to ensure it will function as expected. It's no more challenging than setting up both systems, you just have to make a few configuration changes.
What you need
You should first have physical access to the Linux server you are going to configure. The last thing you want is to be working on this remotely, only to find you've locked yourself out of your machine. Next, you need to make sure you have both two-factor authentication and SSH key authentication working. Do these one at a time. First set up two-factor authentication. Once that is working, comment out the new lines in both /etc/ssh/sshd_config and /etc/pam.d/sshd and restart sshd. Once you have two-factor authentication disabled, set up SSH key authentication. After you are able to log into your server, using key authentication, we'll re-configure two-factor authentication to allow it to function with key authentication.
The first thing to do is open /etc/pam.d/sshd. You have commented out (added a # at the beginning of the line):
auth required pam_google_authenticator.so
Leave that commented out. At the top of that file (Under #%PAM-1.0) add the following:
auth sufficient pam_google_authenticator.so
Save and close that file.
Next, open /etc/ssh/sshd_config. In that file, you'll need to configure the following lines:
ChallengeResponseAuthentication yes UsePAM yes AuthenticationMethods publickey,keyboard-interactive PasswordAuthentication no
If you see any of the above lines commented out, remove the # to uncomment them. If you don't see any of the above lines, make sure to add them. If you see those lines configured in any different way, edit them to reflect the above. Once you've made those modifications, save and close the file. Restart sshd with the command:
sudo systemctl restart sshd
You should now be able to log into the server with the combination of two-factor authentication and SSH key authentication. If not, reboot the server. I've witnessed a few instances where restarting the SSH daemon wasn't enough.
Solid SSH security
You'd be hard-pressed to find a more secure means of logging into your Linux servers, than with the one-two punch of two-factor authentication and SSH key authentication. Get these set up on a test server, make sure it works, and then once you've got the hang of it make it happen on all of your Linux servers. This is absolutely rock-solid SSH security.
- What is two-factor authentication? (TechRepublic)
- How to easily add an SSH fingerprint to your known_hosts file in Linux (TechRepublic)
- How to block SSH access for specific IP addresses (TechRepublic)
- How to use secure copy with ssh key authentication (TechRepublic)
- 3 tips to make using ssh easier (TechRepublic Video)
- Reddit enables two-factor authentication (ZDNet)
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.