SSH Two Factor Authentication With Google Authenticator
In the past, setting up true two-factor authentication (2FA) for SSH access has been a bit of a challenge. However, with the release of OpenSSH 6.2, full and proper support for 2FA is now available. This article explains how to set up SSH 2FA using Google Authenticator on Ubuntu, which greatly enhances the security of your SSH access.
Quick Start
To get started, follow these steps:
-
Install the Google Authenticator PAM module by running the following command:
sudo apt-get install libpam-google-authenticator
-
Each user who wants to use SSH with 2FA should run the following command:
google-authenticator
This command interactively helps users create the
~/.google_authenticator
file, which contains a shared secret and emergency passcodes. It also provides a QR code for quick loading of the shared secret into a two-factor authentication app (e.g., Google Authenticator) on their mobile device. -
Edit the SSH server configuration file
/etc/ssh/sshd_config
with a text editor of your choice and make the following changes:ChallengeResponseAuthentication yes PasswordAuthentication no AuthenticationMethods publickey,keyboard-interactive
Ensure that the following settings (which are typically defaults on Ubuntu) are also configured correctly:
UsePAM yes PubkeyAuthentication yes
-
Reload the SSH service to apply the changes:
sudo service ssh reload
-
Edit the PAM configuration file for SSH
/etc/pam.d/sshd
and replace the line:@include common-auth
with:
auth required pam_google_authenticator.so
How It Works
Traditionally, SSH only verified one method of authentication, such as a password or private key. Multiple methods were allowed, and success with any one method resulted in a successful authentication. SSH key authentication occurred outside the Pluggable Authentication Module (PAM), which made it challenging to use both key-based authentication and PAM for a second factor.
With the new feature introduced in OpenSSH 6.2, the AuthenticationMethods
directive can be used to specify two methods that are both required. This means you can now require both SSH key authentication and PAM, effectively making PAM serve as the second factor authentication method.
Why It’s More Secure
Enhancing SSH security with this method is advantageous for several reasons:
-
Reduced Attack Surface: By using native SSH and PAM support, you minimize the need for third-party patches or hacks, reducing the attack surface.
-
Security by Design: Both SSH and PAM were designed with security in mind from the beginning, making them trustworthy components for authentication.
Any Catches?
One thing to note is that the Google Authenticator PAM module (libpam-google-authenticator
) is in the “universe” repository, which means it’s community-supported for security updates. However, if this method gains popularity in Ubuntu, there’s potential for it to be included in the “main” repository, which would provide more robust support.
Variations
This method is flexible and allows for various authentication setups:
-
If you don’t modify
/etc/pam.d/sshd
, your system will require both a key and the user’s password for SSH authentication. -
To require all three: a key, the password, and the code from the second-factor device, leave the
@include common-auth
line in place in/etc/pam.d/sshd
and insertauth required pam_google_authenticator.so
before it.
By following these steps, you can easily set up two-factor authentication for SSH on your Ubuntu system, significantly enhancing the security of your remote access.