In order to Add Two Factor Authentication to ssh login to an Ubuntu Server
First update the apt using
sudo apt update
Then install google authenticator PAM
sudo apt-get install libpam-google-authenticator
With the PAM installed, we’ll use a helper app that comes with the PAM to generate a TOTP key for the user that needs a second factor. This key is generated on a user-by-user basis, not system-wide. This means every user that wants to use a TOTP auth app will need to log in and run the helper app to get their key; you can’t just run it once to enable it for everyone
google-authenticator
It will ask some questions give the appropriate answer for them
Do you want authentication tokens to be time-based (y/n) y
Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between the authentication server and client. Suppose you
experience problems with poor time synchronization. In that case, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the eight previous codes, the current
code, and the eight next codes). This will permit a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than three login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
Step 2 — Configuring OpenSSH to Use MFA/2FA
sudo nano /etc/pam.d/sshd
Add the following line to the bottom of the file:
. . .
# Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so nullok
auth required pam_permit.so
The nullok word at the end of the last line tells the PAM that this authentication method is optional. This allows users without an OATH-TOTP token to still log in just using their SSH key. Once all users have an OATH-TOTP token, you can remove nullok from this line to make MFA mandatory. The second line with pam_permit.so is required to allow authentication if a user doesn’t use an MFA token to log in. When logging in, each method needs a SUCCESS to allow authentication. If a user doesn’t use the MFA auth tool, utilizing the nullok option returns an IGNORE for the interactive keyboard authentication. pam_permit.so then returns SUCCESS and allows authentication to proceed.
Save and close the file.
Next, we’ll configure SSH to support this kind of authentication
Now open the SSH configuration file for editing:
sudo nano /etc/ssh/sshd_config
Now find the line and change to yes
KbdInteractiveAuthentication yes
Save and close the file, then restart SSH to reload the configuration files. Restarting the sshd service won’t close our current open connections, meaning you won’t risk locking yourself out with this command:
sudo systemctl restart ssh
Now two factor authentication is set and when logging in through ssh it will ask for password and TOTP to login
Subscribe to:
Post Comments
(
Atom
)
0 comments:
Post a Comment