What's new
PGBlitz.com

Register Now! Find useful tips, Interact /w Community Members and join the part the Best Community on the Internet!

Guides HOWTO: Setup 2FA on SSH connections.

Assists Greatly with Development Costs

Jamdoog

Junior Member
Staff
This guide assumes that you already have Public Key Pair authentication setup on your server. In short, this allows you to SSH into your server without using a password. If you do not have this pre-requisite, please follow this guide by @MrDoob.

2FA Authentication on your server might seem unnecessary, but can be a very important to maintain the security of your server in case your computer or other devices you own with your public key pair get breached. Assuming you don't have a password on your key pair, this will leave your server exposed to the attacker who now has the golden key to your server. But with 2FA, this is not the case! In short, 2FA adds another layer of security to your Linux-based machine, forcing you to use a physical device to authenticate with your server.

To begin with, we will need a 2FA client on our mobile device. Personally, I use Google Authenticator although there are many other applications like Authy for example which will suffice just fine. This tutorial will take place on a Ubuntu 16.04 LTS system, which is advisable for your PGBlitz install. As with the PGBlitz installer, I recommend that you use a sudo user as this will ensure that permissions are set right for PGBlitz, and this tutorial will be using a sudo user in comparison to the root user.

1. Installing updates and the libpam-google-authenticator package:

Before we install the package, it is crucial to update our system. This can be done with:

sudo apt-get update -y && sudo apt-get dist-upgrade -y

Now, to install the package we need to do the following command:

sudo apt-get install libpam-google-authenticator -y

That's it, seriously.
Hopefully you see something like this:

3335

2. Generate our 2FA config

To do this, we can just run the following command on our system and answer the corresponding questions:

google-authenticator

It will prompt us with the following question: "Do you want authentication tokens to be time-based (y/n)". We need to press y as this will create the actual 2FA configuration for us to use.

Next, it will display to us our QR code in which we need to scan on our phone to get the OTP-based codes we will use for authentication. It will also produce a couple of emergency codes in which we can use in case we loose our 2FA authorization methods. Keep these safe and out of anyone's hands.

The command will further prompt us with more options, the only one we must input y on is "Do you want me to update your "/home/user/.google_authenticator" file (y/n)". The rest of the questions which get prompted are down to your choice on how you want it setup. The most important part is the two questions which I eluded too above.

3. Configurating it for authentication when logging in

We need to append the following line to /etc/pam.d/sshd

auth required pam_google_authenticator.so

Next, run the following:

sudo systemctl restart sshd.service

Finally, we need to change the following in
/etc/ssh/sshd_config

ChallengeResponseAuthentication no to ChallengeResponseAuthentication yes

We also need to add this line to the bottom of our config file:

AuthenticationMethods publickey,password publickey,keyboard-interactive


That's it! Now just restart the SSH service and we are good to go!

sudo service ssh restart

(Extra)4. Securing our login

We should make sure that root user account login is disabled on our server. This can be done by changing the following in /etc/ssh/sshd_config

PermitRootLogin to no

Furthermore, we should disable password login. This can be done in the same configuration file.

PasswordAuthentication to no

Finally, we should change the port for our SSH connection. Once more, this can be done in the same configuration file. The port can range from 0 - 65535, although some ports (ex. 1194 or 443) will be in use on your system so make sure to change it to something that will NOT be in use.

For reference if you are using command line to SSH into your server in comparison to Putty which has a GUI, for example, use the -p parameter on your SSH to connect with a custom port. (Example, [ssh [email protected] -p 29103] where 29103 is your port).

That's all to it! Enjoy your newely-secured server :)
 

sconnery

Respected Member
Moderator
FreeLancer
Donor
Does this push to your device, Like when logging into webmail?
I have DUO 2fa setup for this but might move to google?
 

Jamdoog

Junior Member
Staff
Does this push to your device, Like when logging into webmail?
I have DUO 2fa setup for this but might move to google?
This is just for when logging into your Linux box. It can be extended to running anything under sudo, although I didn't include it in this tutorial. Thus meaning that it wouldn't be applicable for that use, afaik
 
Assists Greatly with Development Costs

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.


Top NZB NewsGroups!

Members - Up To a 58% Discount!

Development Donations

 

Online statistics

Members online
6
Guests online
108
Total visitors
114
Top