How to configure 2FA authentication using Google authenticator on Ubuntu 18.04 CLI.

This is a quick reference guide on how to configure 2FA authentication using Google authenticator on Ubuntu 18.04.

WARNING: Please be extremely cautious when configuring this as you could potentially lock yourself out of your system if mis-configured.

In this guide I will create a separate user for 2FA authentication and leave root as password authentication only.

1. Create a new user

root@testssh:/etc/ssh# adduser authtest

2. Edit /etc/ssh/sshd_config

root@testssh:/etc/ssh# nano /etc/ssh/sshd_config

Change ChallengeResponseAuthentication to yes

3. Install Google Authenticator

root@testssh:/etc/ssh#apt-get update
root@testssh:/etc/ssh# apt-get install libpam-google-authenticator

4. Change to user and run Google Authenticator

IMPORTANT: Only run this command in the user account that you would like to authenticate using 2FA Authentication.

root@testssh:/etc/ssh# su authtest
authtest@testssh:/etc/ssh$ google-authenticator

Once you have run the google-authenticator command and answered some questions about your preferences, you will receive your token information to set up your token used to generate your OTP.

If by accident you run this command in the wrong user account: To revert this you can delete this from the users home directory by running the following command.

rm /home/authtest/.google_authenticator

To remove from root

root@VPS:~# rm .google_authenticator

5. Change back to root and edit /etc/pam.d/common-auth

authtest@testssh:/etc/ssh$ exit
nano /etc/pam.d/common-auth

add the following line to the bottom of the file:

auth required nullok

6. Restart sshd

root@testssh:/etc/ssh# service sshd restart

7. Test Authentication

At this point I would open a duplicate putty window and test that root still has password authentication.

To test the 2FA authentication – you will be prompted for you password and then your OTP that is generated using your google Authenticator app.

Thank you for reading and please feel free to leave any feedback.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s