Steps for Duo: Ignore most of the file setup from their webpage and follow the google setups below after duo is installed. The 2 things you'll need to do is add the following 2 things to /etc/ssh/sshd_config: UsePAM yes ChallengeResponseAuthentication yes Then edit /etc/pam.d/sshd add the line: auth required /usr/lib64/security/pam_duo.so Steps for Google: Step 1: Install and Configure Google Authenticator on Ubuntu ServerLog into your Ubuntu server and run the following command to install Google Authenticator from the default Ubuntu package repository. sudo apt install libpam-google-authenticator Then run the google-authenticator When asked “Do you want authentication tokens to be time-based?” Answer y. Then you will see a QR code that you can scan using a TOTP app on your phone. There are two apps that I recommend:
Scan the QR code with Google Authenticator or FreeOTP on your mobile phone. Note that you need to enlarge the terminal window to scan the full QR code. The QR code represents the secret key, which is only known by your SSH server and your TOTP mobile app. Once the QR code is scanned, you can see a six-digit one-time password on your phone. By default, it changes every 30 seconds. You will need to enter this one-time password later in order to log in to Ubuntu server via SSH. In the terminal window, you can see the secret key, verification code, and emergency scratch code. It’s recommended that you save this information to a safe place for later use. Then you can enter y to answer all of the remaining questions. This will update you Google Authenticator configuration file, disable multiple uses of the same authentication token, increase the time window and enable rate-limiting to protect against brute-force login attempts. Step 2: Configure SSH Daemon to Use Google AuthenticatorOpen SSH server configuration file. sudo nano /etc/ssh/sshd_config Find the following two parameters in the file and make sure both of them are set to yes. UsePAM yes ChallengeResponseAuthentication yes PAM stands for pluggable authentication module. It provides an easy way to plug different authentication method into your Linux system. To enable Google Authenticator with SSH, PAM and Challenge-Response authentication must be enabled. Save and close the file. Then restart SSH daemon for the change to take effect. sudo systemctl restart ssh Note: To allow the root user to use 2FA, you must first allow root to login via SSH with this configuration By default, the challenge-response authentication requires you to enter user password to login. Now edit the PAM rule file for SSH daemon. sudo nano /etc/pam.d/sshd At the beginning of this file, you can see the following line, which enables password authentication when @include common-auth To also enable one-time password authentication, add the following two lines. #One-time password authentication via Google Authenticator auth required pam_google_authenticator.so Save and close the file. From now on SSH daemon will require you to enter user password and a verification code (the one-time password generated by Google Authenticator). |
Linux Links >