SSH Two factor authentication (2FA)

Locked
User avatar
Mihai Romania
Posts: 60
Joined: 2023 May 03, 14:12
Location: ROMANIA
Contact:
Contact Mihai

SSH Two factor authentication (2FA)

Post by Mihai »

The bellow example is on CentOS7. It does not mater the Linux OS. The procedure is the same for all.
TOTP = Time-based One-time Password algorithm
  • INSTALLATION
Update operating system applications to the latest version (OPTIONAL) using the command

Code: Select all

[root @ CentOS ~] yum update -y
Install google-authenticator

Code: Select all

[root @ CentOS ~] yum install -y google-authenticator
  • CONFIGURATION
If it is desired to implement the 2FA authentication type for a specific user, the authentication is done with that user

Code: Select all

[user @ CentOS ~]$
Run the google-authenticator command

Code: Select all

[user @ CentOS ~]$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
QR code will be generated in the terminal, which you will have to scan with the Google Authenticaton application installed on your mobile phone or tablet
QR_CODE_EXAMPLE.png
QR_CODE_EXAMPLE.png (55.43 KiB) Viewed 9463 times
NOTE: The above QR code was generated for the username user. This code will only be scanned by user!

All subsequent steps are answered with yes ( y )

Code: Select all

Do you want me to update your "/home/utilizator/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y

If the computer that you are logging into isn`t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

[user @ CentOS ~]$
A file called .google_authenticator has been created in the /home/user location, which contains 5 emergency codes. These emergency codes are only used in case of emergency, for example google-authenticator can't do the query with the app.

Configure OpenSSH
Edit the /etc/pam.d/sshd file

Code: Select all

[root @ CentOS ~] vim /etc/pam.d/sshd
Add the configuration line ( auth required pam_google_authenticator.so nullok ) to the file and save the changes

Code: Select all

# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
auth required pam_google_authenticator.so nullok
The nullok parameter at the end of the configuration line means that users who have not set TOTP as their authentication method can still login without noticing any changes. After all users have TOTP as their authentication method, the nullok parameter can be deleted in order to allow only TOTP authentication globally (for all users).

Configure the /etc/ssh/sshd_config file to enable the TOTP authentication method

Code: Select all

[root @ CentOS ~] vim /etc/ssh/sshd_config
Change the following parameter from no to yes of the configuration line below and save the file with the change

Code: Select all

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
Save the file, restart the ssh server using the command

Code: Select all

[root @ CentOS ~] service sshd restart
or

Code: Select all

[root @ CentOS ~] systemctl restart sshd.service
Functionality testing

Code: Select all

root@T530:~ $ ssh hosname-server -p 22 -l user
Password:
Verification code:
Last login: Fri Nov  8 13:10:56 2019
[user @ CentOS ~]$
  • ADDITIONAL
Authentication with SSH key
In case an SSH key is also used for authentication, it is necessary to edit the file /etc/ssh/sshd_config and add the line below

Code: Select all

[root @ CentOS ~] vim /etc/ssh/sshd_config
AuthenticationMethods publickey,password publickey,keyboard-interactive
Save the SSH file and restart the SSHd service

Code: Select all

[root @ CentOS ~] service sshd restart
or

Code: Select all

[root @ CentOS ~] systemctl restart sshd.service
I'm on LinkedIn
Top
Locked

Return to “Linux”