SSH Two factor authentication (2FA)
Posted: 2023 May 03, 18:42
The bellow example is on CentOS7. It does not mater the Linux OS. The procedure is the same for all.
TOTP = Time-based One-time Password algorithm
Install google-authenticator
Run the google-authenticator command
QR code will be generated in the terminal, which you will have to scan with the Google Authenticaton application installed on your mobile phone or tablet
NOTE: The above QR code was generated for the username user. This code will only be scanned by user!
All subsequent steps are answered with yes ( y )
A file called .google_authenticator has been created in the /home/user location, which contains 5 emergency codes. These emergency codes are only used in case of emergency, for example google-authenticator can't do the query with the app.
Configure OpenSSH
Edit the /etc/pam.d/sshd file
Add the configuration line ( auth required pam_google_authenticator.so nullok ) to the file and save the changes
The nullok parameter at the end of the configuration line means that users who have not set TOTP as their authentication method can still login without noticing any changes. After all users have TOTP as their authentication method, the nullok parameter can be deleted in order to allow only TOTP authentication globally (for all users).
Configure the /etc/ssh/sshd_config file to enable the TOTP authentication method
Change the following parameter from no to yes of the configuration line below and save the file with the change
Save the file, restart the ssh server using the command
or
Functionality testing
In case an SSH key is also used for authentication, it is necessary to edit the file /etc/ssh/sshd_config and add the line below
Save the SSH file and restart the SSHd service
or
TOTP = Time-based One-time Password algorithm
- INSTALLATION
Code: Select all
[root @ CentOS ~] yum update -yCode: Select all
[root @ CentOS ~] yum install -y google-authenticator- CONFIGURATION
Code: Select all
[user @ CentOS ~]$Code: Select all
[user @ CentOS ~]$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y- QR_CODE_EXAMPLE.png (55.43 KiB) Viewed 9465 times
All subsequent steps are answered with yes ( y )
Code: Select all
Do you want me to update your "/home/utilizator/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn`t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
[user @ CentOS ~]$Configure OpenSSH
Edit the /etc/pam.d/sshd file
Code: Select all
[root @ CentOS ~] vim /etc/pam.d/sshdCode: Select all
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
auth required pam_google_authenticator.so nullokConfigure the /etc/ssh/sshd_config file to enable the TOTP authentication method
Code: Select all
[root @ CentOS ~] vim /etc/ssh/sshd_configCode: Select all
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yesCode: Select all
[root @ CentOS ~] service sshd restartCode: Select all
[root @ CentOS ~] systemctl restart sshd.serviceCode: Select all
root@T530:~ $ ssh hosname-server -p 22 -l user
Password:
Verification code:
Last login: Fri Nov 8 13:10:56 2019
[user @ CentOS ~]$- ADDITIONAL
In case an SSH key is also used for authentication, it is necessary to edit the file /etc/ssh/sshd_config and add the line below
Code: Select all
[root @ CentOS ~] vim /etc/ssh/sshd_config
AuthenticationMethods publickey,password publickey,keyboard-interactiveCode: Select all
[root @ CentOS ~] service sshd restartCode: Select all
[root @ CentOS ~] systemctl restart sshd.service