If you’re a Linux administrator and looking to lock down your Linux servers and desktops as tight as possible, you owe it to yourself to make use of two-factor authentication. This should be considered as “no-brainer” as they come. Why? Because by adding two-factor authentication, it becomes exponentially more difficult for malicious users to gain access to your machines. With Linux, it is possible to set up a machine so that you cannot log into the console or desktop or by way of secure shell, without having the two-factor authentication code associated with that machine.
I’m going to walk you through the process of setting this up on Ubuntu Server 16.04. If you’ve attempted this process before, know that the steps have changed and the previously detailed method no longer works.
Before you begin
There is one thing you must know about adding two-factor authentication: Once you’ve set it up, without the third-party generated codes, you will not be able to gain access to your machine. Every time you want to log in, you will need either your smartphone or the emergency codes (generated upon installation of the necessary tools).
What you’ll need
Obviously, you’ll need a Linux server or desktop. Make sure it is fully updated and your data is backed up (because you never know). You will also need a third-party application (such as Authy or Google Authenticator) to generate your two-factor codes. Personally, I use Authy for this task. I will not walk through the process of installing either the Authy or Google Authenticator app (as that is self-explanatory).
With that said, let’s set this up.
Installation
Log into your Linux machine and follow these steps:
- Open a terminal window
- Issue the command sudo apt install libpam-google-authenticator
- Type your sudo password and hit Enter
- If prompted, type y and hit Enter
- Allow the installation to complete
Now it’s time to configure the machine for two-factor authentication.
Configuration
Back at your terminal window, issue the command sudo nano /etc/pam.d/common-auth. Add the following line to the bottom of the file:
auth required pam_google_authenticator.so nullok
Save and close that file.
Now we must setup Google-authenticator for every user that needs to log into the machine. I will demonstrate with a single user. Go back to the terminal window and, as the user in question, issue the command google-authenticator. You will be required to answer a series of questions. The first question is: Do you want authentication tokens to be time-based (y/n) y. Answer that with a y and you will be presented with a QR code (Figure A). Open up your two-factor app on your smartphone, add a new account, and scan that code.
Figure A
Once you’ve added the code, answer the remaining questions, which are:
- Do you want me to update your “/home/jlwallen/.google_authenticator” file (y/n) y
- Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n)
- By default, tokens are good for 30 seconds, and to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)
- If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n)
Answer each question by typing y and hitting enter.
Configure SSH
Next we must setup ssh to allow two factor authentication. Otherwise you won’t be able to login via ssh. Here’s what you do:
First, enable the PAM module. To do this, issue the command sudo nano /etc/pam.d/sshd. With the file open, add the following line to the bottom of the file:
auth required pam_google_authenticator.so nullok
Save that file and then issue the command sudo nano /etc/ssh/sshd_config. In this file, look for:
ChallengeResponseAuthentication no
and change it to:
ChallengeResponseAuthentication yes
Save that file and restart sshd with the command sudo systemctl restart sshd.
Logging in
Before you log out of your server from the current working terminal window, I highly suggest you open up a new window and attempt to secure shell into the machine. If you cannot log in, go back through the steps and make sure you didn’t miss anything. Once you’ve successfully logged in that way, it’s safe to logout of your current session and log back in.
Welcome to a new level of security
That’s all it takes to add a much-needed layer of extra security to your Linux machines. Remember, without that third-party two-factor authentication app, you will not be able to log into your newly configured machine–so keep that phone handy at all times.