Table of Contents

Ubuntu - SSH - Two-Factor Authentication (using Google Authenticator)

Two-Factor authentication adds an extra layer of security to the authentication process to prevent unauthorized users to access your services or data.

Normally you only type username and password (something you know) but with Two-Factor authentications, additionally you need to provide something you have (mobile phone running Android, iOS or Blackberry with one time codes when using Google Authenticator).

Google Authenticator on iPhone1.


Download and install the Google Authenticator app for you phone

Instructions: http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447


Install required package (used to create QR code)

sudo apt install libqrencode3

Download the Google Authenticator libpam package

wget http://ftp.us.debian.org/debian/pool/main/g/google-authenticator/libpam-google-authenticator_20110413.68230188bdc7-1.1_amd64.deb

TODO: Update URL for Ubuntu, instead of Debian.


Install Google Authenticator

dpkg -i libpam-google-authenticator_20110413.68230188bdc7-1.1_amd64.deb

Configure Google Authenticator

This has to be done for each account that should be able to login with Two-Factor Authentication.

google-authenticator

Scan the QR code

Scan the QR code with your phone in the Google Authenticator app and answer yes to all questions unless you want some specific options.


Configure pam to use the google authenticator lib

Add this line somewhere in the file.

/etc/pam.d/ssh
auth required pam_google_authenticator.so

Update sshd_config

Locate a line in the file starting with ChallengeResponseAuthentication and change the value to yes.

/etc/ssh/sshd_config
...
ChallengeResponseAuthentication yes
...

Restart SSH

/etc/init.d/ssh restart

Next time you login to SSH you will be prompted for a Verification code in addition to the standard login and password.

This is where you use the code shown on your mobile device.