How to Enable Two-Factor Authentication on an Ubuntu 18.04 VPS or Dedicated Server

Two-factor authentication (2FA) is an additional layer of security that you can use on your Ubuntu 18.04 VPS. Apart from entering the regular username and password, users connecting to your server via SSH will be required to enter a token from the Google Authenticator app.

When your Ubuntu server authenticates users by combining two factors, it can confirm the real identity of authorized users even when a user’s password is compromised.

The best way to enable 2FA authentication is through the Google Authenticator app that is available for mobile phones. This app allows you to receive a code that you should enter on your Ubuntu 18.04 alongside your username and password to prove your identity.

In this guide, we will show you how you can setup 2FA and use it to help secure your Ubuntu 18.04 server against malicious hackers.

Prerequisites

  • A VPS server running Ubuntu 18.04 operating system
  • A non-root user with sudo privileges
  • The public IP address of your server
  • A phone running Android or Apple iOs

Step 1: Login to your Ubuntu 18.04 Server

First, you need to establish a connection to your server through SSH. If you are running Windows on your local machine, you can use PuTTY to connect. You can also use the built-in command line prompt if you are on Linux or Mac. You need to have your VPS server public IP address, username, and password.

Step 2: Install Google PAM

PAM is an acronym for Pluggable Authentication Module. This is module allows users to be authenticated on a Linux system using Time-based One-Time Password (TOTP) app known as Google Authenticator. You can download the app from Play Store or Apple App Store.

To install Google Authenticator PAM module, use the commands below:

First, update package repository information:

$ sudo apt-get update

Next, install Google PAM.

$ sudo apt-get install libpam-google-authenticator

Step 3: Generate TOTP for a user

We now have the Google PAM installed. Next, you need to generate a TOTP. You should do this for all users that want to enable 2FA on their account.

While logged as the user that you want to generate TOTP for, run the helper Google PAM application below

$ google-authenticator

You will be prompted to answer the below question:

Do you want authentication tokens to be time-based (y/n) Y

Just enter Y and hit Enter to proceed.

On the next step, you will get a QR code that you need to scan with the Google Authenticator app. If you don’t want to scan the QR code, you can enter the secret key displayed here manually on the Google Authenticator app on your phone.

Press Y and hit Enter when prompted to update your google authenticator file.

Do you want me to update your "home/user/google_authenticator" file (y/n) Y

Next, you need to disallow multiple uses of the same authenticator token to prevent man-in-the-middle attacks.

Do you want to disallow multiple uses of the same 
authentication token? This restricts you to one login
about every 30s, but it increases your chances 
to notice or even prevent man-in-the-middle attacks (y/n) Y

To avoid locking yourself from the server due to time synchronization problems, enter Y and hit enter once you are prompted with the below option.

In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to By default, a new token is generated every 30 seconds by the mobile app.
30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) Y

Next, enter Y and Enter to enable rate limiting and avoid brute-force attacks on your server

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) Y

Step 4: Enable PAM On SSH

We will have two configure SSH to allow users to log in using 2FA. To do these, we need to edit the file ‘/etc/pam.d/sshd’ using a nano editor:

$ sudo nano /etc/pam.d/sshd

Add the line ‘auth required pam_google_authenticator.so’ line at the bottom of the file.

$ # Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so

Then press CTRL+X, Y and Enter to save the changes.

Next, open the SSH configuration file to enable this kind of authentication:

$ sudo nano /etc/ssh/sshd_config

Change the value of ChallengeResponseAuthentication from no to yes

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

Press CTRL + X then Y and Enter to save the changes to the file

Restart the SSH daemon:

$ sudo systemctl restart sshd.service

Step 5: Test the configuration

You can now open a new terminal window and log on your Ubuntu server. This ensures that you can easily undo the changes from the first session in case there was a misconfiguration on the server.

When you log in this time, you will be prompted to enter a Verification code alongside your username and password. You need to retrieve the verification code from the Google Authenticator app:

This is a sample SSH prompt with two factor enabled

Using username "john".
Authenticating with public key "john"
Further authentication required
Using keyboard-interactive authentication.
Password: Enter your password here
Using keyboard-interactive authentication.
Verification code: Enter 2nd factor here
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-1009-gcp x86_64)

Conclusion

In this guide, we have taken you through the steps of enabling two-factor authentication on your Ubuntu 18.04 server. This will ensure that only a person with your password and the right security token can log in to your server and this adds a good layer of security. If you have followed the guide, you will be able to secure your server against malicious users.

Special Note: a key part of securing your server against malicious attacks is to have a hosting plan with a trusted and safe hosting company. On HostAdvice, you will find top VPS hosting and Dedicated server hosting providers that you can trust - complete with real user reviews.

Check out these top 3 VPS services:

Was this article helpful?