This is a quick reference guide on how to configure 2FA authentication using Google authenticator on Ubuntu 18.04.
WARNING: Please be extremely cautious when configuring this as you could potentially lock yourself out of your system if mis-configured.
In this guide I will create a separate user for 2FA authentication and leave root as password authentication only.
1. Create a new user
root@testssh:/etc/ssh# adduser authtest
2. Edit /etc/ssh/sshd_config
root@testssh:/etc/ssh# nano /etc/ssh/sshd_config
Change ChallengeResponseAuthentication to yes
3. Install Google Authenticator
root@testssh:/etc/ssh#apt-get update root@testssh:/etc/ssh# apt-get install libpam-google-authenticator
4. Change to user and run Google Authenticator
IMPORTANT: Only run this command in the user account that you would like to authenticate using 2FA Authentication.
root@testssh:/etc/ssh# su authtest authtest@testssh:/etc/ssh$ google-authenticator
Once you have run the google-authenticator command and answered some questions about your preferences, you will receive your token information to set up your token used to generate your OTP.
If by accident you run this command in the wrong user account: To revert this you can delete this from the users home directory by running the following command.
To remove from root
root@VPS:~# rm .google_authenticator
5. Change back to root and edit /etc/pam.d/common-auth
authtest@testssh:/etc/ssh$ exit exit root@testssh:/etc/ssh#
add the following line to the bottom of the file:
auth required pam_google_authenticator.so nullok
6. Restart sshd
root@testssh:/etc/ssh# service sshd restart
7. Test Authentication
At this point I would open a duplicate putty window and test that root still has password authentication.
To test the 2FA authentication – you will be prompted for you password and then your OTP that is generated using your google Authenticator app.
Thank you for reading and please feel free to leave any feedback.