Install and Configure google-authenticator for Multi-Factor Authentication on Ubuntu 18.04

Multi-Factor Authentication is a must have in today’s cloud environment. MFA greatly reduces the chances of a brute force attack on your server or workstation. Let’s take a look at using two completely free, open source products to making this work.

Free OTP

For authentication on your mobile device you can use Google Authenticator or you can use another solution such as Free OTP by Red Hat. FreeOTP is available for download on many devices including android, iOS, windows, linux, and MacOS. Free OTP download.

Google Authenticator Open Source

The project google-authenticator is an opensource version of Google Authenticator that is supported on non-Android platforms such as iOS or Linux. Let’s install the package on Ubuntu 18.04  

sudo apt-get install libpam-google-authenticator
Install google-authenticator

Now we need to configure google-authenticator for each user. I will run it on my account and the root account, but it needs to be configured under each user.

google-authenticator

You will be given a QR Code which you can import into your authenticator app by using your mobile phone’s camera. Another option is to enter a secret key manually. In either case, you should store the secret key somewhere encrypted so you have it as a backup in case you lose your phone. Password safe tools are a good place to do this.   Sample Output of google-authenticator

Your new secret key is: XXXXXXXXXXXXXXXXXX
Your verification code is XXXXXX
Your emergency scratch codes are:
  XXXXXXXX
  XXXXXXXX
  XXXXXXXX
  XXXXXXXX
  XXXXXXXX

  Don’t forget to configure other users as well as your root account.   To switch users

su user1

To switch to root Note: log back in as a user immediately after you are done. We never want to make changes using the root account.

sudo -i 

Configure MFA for local login Now that all users are configured we can enforce the changes to the local shell and ssh access. We first need to configure /etc/pam.d/sshd

sudo nano /etc/pam.d/sshd 

Add This comment and configuration to /etc/pam.d/sshd

# This setting enables Google Authenticator for all users.              
auth required pam_google_authenticator.so nullok

Now we need to require MFA with SSH remote connections Edit /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

Now find and change the line ChallengeResponseAuthentication to yes

ChallengeResponseAuthentication yes

Now restart SSH

sudo service ssh restart

Let’s Test

ssh joel@ubserver1

We should now see prompting for password and verification code whether we login locally or via ssh. Use Free OTP to enter current verification code. That’s it! You know have 2FA configured on your Ubuntu 18.04 Server.  

0 Points


Leave a Reply

Your email address will not be published. Required fields are marked *