To get you up and running with a Virtual Server to set this up on please check out the following post:
Easy 2FA for your server
Setting up 2FA is usually a long process however if you just want something for a server or two here is a good way to get started.
The Google AUthenticator is actually free so we can just use PAM via SSH to plug into this.
First update the apt repositories
sudo apt-get update
Install the Package using apt-get
sudo apt-get install libpam-google-authenticator
Edit the ssh daemon PAM file
we will add the .so file which is a shared object file essentially a compiled binary file a bit like a windows DLL
Add the following to the file
auth required pam_google_authenticator.so
Edit the sshd config file
This is the SSH config file for our Virtual server, we need to allow challengeResponse Authentication, this basically lets the server Ask us for a code so we enter our password then it can request more, so it challenged the user
Find the line:
and change to
uncomment if need be (E.g. if its commented out delete the #)
Restart the SSH server
Now we have made changes we need to restart the SSH daemon / service this will ensure the new config is applied.
sudo service ssh restart
Generate a OTP (one time password) account
Now we need to create the seed which will essentially generate the same OTP on the server and then on the client.
Login as the user and run:
If you need to change user e.g. you are root then run
This will change you to that user.
Now we can import the google authenticator account onto our device, its a soft token so its all done via software, simply download the APP from android marketplace or IOS apple store and click import, you can just scan the QR code you see on your screen, you will see it simply keeps generating one time passwords.
Enter Yes to all and note the scratch codes or copy and paste the link.
Once the link has been copy and pasted into a browser it will show a QR code.
Scan this on your Google Authenticator App.
Or add it using the scratch codes, (theres a PC based APP).
Now you have setup your OTP and app when you log in using that user the challenge response will kick in, it will ask for your OTP once you have entered a valid username and password.
enter your username Your UNIX password Your OTP on your app.
All done, a very simple way of securing access, don’t lose your token and ideally its only good for the odd few accounts on a server, the better way to do this would be using a 2FA solution which we will cover next.