Two-factor authentication (2FA) is an additional layer of security that you can use on your Ubuntu 18.04 VPS. Apart from entering the regular username and password, users connecting to your server via SSH will be required to enter a token from the Google Authenticator app.
When your Ubuntu server authenticates users by combining two factors, it can confirm the real identity of authorized users even when a user’s password is compromised.
The best way to enable 2FA authentication is through the Google Authenticator app that is available for mobile phones. This app allows you to receive a code that you should enter on your Ubuntu 18.04 alongside your username and password to prove your identity.
In this guide, we will show you how you can setup 2FA and use it to help secure your Ubuntu 18.04 server against malicious hackers.
- A VPS server running Ubuntu 18.04 operating system
- A non-root user with sudo privileges
- The public IP address of your server
- A phone running Android or Apple iOs
Step 1: Login to your Ubuntu 18.04 Server
First, you need to establish a connection to your server through SSH. If you are running Windows on your local machine, you can use PuTTY to connect. You can also use the built-in command line prompt if you are on Linux or Mac. You need to have your VPS server public IP address, username, and password.
Step 2: Install Google PAM
PAM is an acronym for Pluggable Authentication Module. This is module allows users to be authenticated on a Linux system using Time-based One-Time Password (TOTP) app known as Google Authenticator. You can download the app from Play Store or Apple App Store.
To install Google Authenticator PAM module, use the commands below:
First, update package repository information:
$ sudo apt-get update
Next, install Google PAM.
$ sudo apt-get install libpam-google-authenticator
Step 3: Generate TOTP for a user
We now have the Google PAM installed. Next, you need to generate a TOTP. You should do this for all users that want to enable 2FA on their account.
While logged as the user that you want to generate TOTP for, run the helper Google PAM application below
You will be prompted to answer the below question:
Do you want authentication tokens to be time-based (y/n) Y
Just enter Y and hit Enter to proceed.
On the next step, you will get a QR code that you need to scan with the Google Authenticator app. If you don’t want to scan the QR code, you can enter the secret key displayed here manually on the Google Authenticator app on your phone.
Press Y and hit Enter when prompted to update your google authenticator file.
Do you want me to update your "home/user/google_authenticator" file (y/n) Y
Next, you need to disallow multiple uses of the same authenticator token to prevent man-in-the-middle attacks.
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) Y
To avoid locking yourself from the server due to time synchronization problems, enter Y and hit enter once you are prompted with the below option.
In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to By default, a new token is generated every 30 seconds by the mobile app. 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) Y
Next, enter Y and Enter to enable rate limiting and avoid brute-force attacks on your server
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) Y
Step 4: Enable PAM On SSH
We will have two configure SSH to allow users to log in using 2FA. To do these, we need to edit the file ‘/etc/pam.d/sshd’ using a nano editor:
$ sudo nano /etc/pam.d/sshd
Add the line ‘auth required pam_google_authenticator.so’ line at the bottom of the file.
$ # Standard Un*x password updating. @include common-password auth required pam_google_authenticator.so
Then press CTRL+X, Y and Enter to save the changes.
Next, open the SSH configuration file to enable this kind of authentication:
$ sudo nano /etc/ssh/sshd_config
Change the value of ChallengeResponseAuthentication from no to yes
# Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes
Press CTRL + X then Y and Enter to save the changes to the file
Restart the SSH daemon:
$ sudo systemctl restart sshd.service
Step 5: Test the configuration
You can now open a new terminal window and log on your Ubuntu server. This ensures that you can easily undo the changes from the first session in case there was a misconfiguration on the server.
When you log in this time, you will be prompted to enter a Verification code alongside your username and password. You need to retrieve the verification code from the Google Authenticator app:
This is a sample SSH prompt with two factor enabled
Using username "john". Authenticating with public key "john" Further authentication required Using keyboard-interactive authentication. Password: Enter your password here Using keyboard-interactive authentication. Verification code: Enter 2nd factor here Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-1009-gcp x86_64)
In this guide, we have taken you through the steps of enabling two-factor authentication on your Ubuntu 18.04 server. This will ensure that only a person with your password and the right security token can log in to your server and this adds a good layer of security. If you have followed the guide, you will be able to secure your server against malicious users.
Special Note: a key part of securing your server against malicious attacks is to have a hosting plan with a trusted and safe hosting company. On HostAdvice, you will find top VPS hosting and Dedicated server hosting providers that you can trust - complete with real user reviews.