Secure SSH with Two Factor Authentication on Ubuntu 16.04

In this tutorial, we will describe the necessary steps to set up two-factor authentication (2fa) using Google Authenticator on an Ubuntu 16.04 VPS. This app includes implementation of one-time access code generators for multiple mobile platforms. This method adds another layer of protection to your server by adding an extra step to the main registration process.

Log in to the server using SSH as superuser

                      ssh [email protected]_Address

Updating all installed packages:

                      apt-get update && apt-get upgrade

Install the package Google Authenticator

                      apt-get install libpam-google-authenticator

After the package is installed, run the Google-authenticator program, create a key for the user with which you will log in. The program can generate two types of authentication tokens – time-based and one-time tokens … Time-based passwords will change randomly at a specific time, and one-time passwords are valid for one authentication.

In our case, we will use time-based passwords. Run the program to create keys


You will be prompted for time-based authentication.

                      Do you want authentication tokens to be time-based (y/n) y

A large QR code will be generated in your terminal. You can scan the code with the authenticator app on your Android / IOS / Windows phone or tablet, or enter the secret key generated on the screen.

An emergency strap code will also be generated. You can use these codes to authenticate if you lose your mobile device.

                      Your emergency scratch codes are:

Save the credentials for the root user by answering YES to the next question

                      Do you want me to update your "/root/.google_authenticator" file (y/n) y

Next, you can configure the authenticator to generate one-time passwords. Since they are 30 seconds long, all generated passwords can be used once.

                      Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

You can use the following option if you have problems syncing time between devices, so we will not use this option.

                      By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

The next option prevents brute force attacks. You will only have three chances in 30 seconds to enter the correct password.

                      If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

We now have our Google Authenticator app configured and the next step is to configure the authentication settings in OpenSSH. To do this, open the file “/etc/pam.d/sshd” and add the following line to the end of the file:

                      # vim /etc/pam.d/sshd

auth required

Save the changes and open the file “/ etc / ssh / sshd_config” and enable the Response authentication challenge.

                      # vim /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

Save the file and restart SSH on the server for the changes to take effect.

                      systemctl restart ssh

If you’ve followed this tutorial closely, two-factor authentication is enabled on the server and every time you try to log into your Ubuntu VPS via SSH you must enter your user password and verification code generated by the Google Authentication app on your mobile device.

Related Posts