Multi-Factor Authentication is a must have in today’s cloud environment. MFA greatly reduces the chances of a brute force attack on your server or workstation. Let’s take a look at using two completely free, open source products to making this work.
For authentication on your mobile device you can use Google Authenticator or you can use another solution such as Free OTP by Red Hat. FreeOTP is available for download on many devices including android, iOS, windows, linux, and MacOS. Free OTP download.
Google Authenticator Open Source
The project google-authenticator is an opensource version of Google Authenticator that is supported on non-Android platforms such as iOS or Linux. Let’s install the package on Ubuntu 18.04
sudo apt-get install libpam-google-authenticator
Now we need to configure google-authenticator for each user. I will run it on my account and the root account, but it needs to be configured under each user.
You will be given a QR Code which you can import into your authenticator app by using your mobile phone’s camera. Another option is to enter a secret key manually. In either case, you should store the secret key somewhere encrypted so you have it as a backup in case you lose your phone. Password safe tools are a good place to do this. Sample Output of google-authenticator
Your new secret key is: XXXXXXXXXXXXXXXXXX Your verification code is XXXXXX Your emergency scratch codes are: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
Don’t forget to configure other users as well as your root account. To switch users
To switch to root Note: log back in as a user immediately after you are done. We never want to make changes using the root account.
Configure MFA for local login Now that all users are configured we can enforce the changes to the local shell and ssh access. We first need to configure /etc/pam.d/sshd
sudo nano /etc/pam.d/sshd
Add This comment and configuration to /etc/pam.d/sshd
# This setting enables Google Authenticator for all users. auth required pam_google_authenticator.so nullok
Now we need to require MFA with SSH remote connections Edit /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
Now find and change the line ChallengeResponseAuthentication to yes
Now restart SSH
sudo service ssh restart
We should now see prompting for password and verification code whether we login locally or via ssh. Use Free OTP to enter current verification code. That’s it! You know have 2FA configured on your Ubuntu 18.04 Server.