How to Enable Two-Factor Authentication on an Ubuntu 18.04 VPS or Dedicated Server

How to Enable Two-Factor Authentication on an Ubuntu 18.04 VPS or Dedicated Server

Two-factor authentication (2FA) is an additional layer of security that you can use on your Ubuntu 18.04 VPS. Apart from entering the regular username and password, users connecting to your server via SSH will be required to enter a token from the Google Authenticator app.

When your Ubuntu server authenticates users by combining two factors, it can confirm the real identity of authorized users even when a user’s password is compromised.

The best way to enable 2FA authentication is through the Google Authenticator app that is available for mobile phones. This app allows you to receive a code that you should enter on your Ubuntu 18.04 alongside your username and password to prove your identity.
In this guide, we will show you how you can setup 2FA and use it to help secure your Ubuntu 18.04 server against malicious hackers.

Prerequisites

  • A VPS server running Ubuntu 18.04 operating system
  • A non-root user with sudo privileges
  • The public IP address of your server
  • A phone running Android or Apple iOs

Step 1:
Login to your Ubuntu 18.04 Server

First, you need to establish a connection to your server through SSH. If you are running Windows on your local machine, you can use PuTTY to connect. You can also use the built-in command line prompt if you are on Linux or Mac. You need to have your VPS server public IP address, username, and password.

Step 2:
Install Google PAM

PAM is an acronym for Pluggable Authentication Module. This is module allows users to be authenticated on a Linux system using Time-based One-Time Password (TOTP) app known as Google Authenticator. You can download the app from Play Store or Apple App Store.

To install Google Authenticator PAM module, use the commands below:

First, update package repository information:

$ sudo apt-get update

Next, install Google PAM.

$ sudo apt-get install libpam-google-authenticator

Step 3:
Generate TOTP for a user

We now have the Google PAM installed. Next, you need to generate a TOTP. You should do this for all users that want to enable 2FA on their account.

While logged as the user that you want to generate TOTP for, run the helper Google PAM application below

$ google-authenticator

You will be prompted to answer the below question:

Do you want authentication tokens to be time-based (y/n) Y

Just enter Y and hit Enter to proceed.

On the next step, you will get a QR code that you need to scan with the Google Authenticator app. If you don’t want to scan the QR code, you can enter the secret key displayed here manually on the Google Authenticator app on your phone.

Press Y and hit Enter when prompted to update your google authenticator file.

Do you want me to update your "home/user/google_authenticator" file (y/n) Y

Next, you need to disallow multiple uses of the same authenticator token to prevent man-in-the-middle attacks.

Do you want to disallow multiple uses of the same 
authentication token? This restricts you to one login
about every 30s, but it increases your chances 
to notice or even prevent man-in-the-middle attacks (y/n) Y

To avoid locking yourself from the server due to time synchronization problems, enter Y and hit enter once you are prompted with the below option.

In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to By default, a new token is generated every 30 seconds by the mobile app.
30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) Y

Next, enter Y and Enter to enable rate limiting and avoid brute-force attacks on your server

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) Y

Step 4:
Enable PAM On SSH

We will have two configure SSH to allow users to log in using 2FA. To do these, we need to edit the file ‘/etc/pam.d/sshd’ using a nano editor:

$ sudo nano /etc/pam.d/sshd

Add the line ‘auth required pam_google_authenticator.so’ line at the bottom of the file.

$ # Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so

Then press CTRL+X, Y and Enter to save the changes.

Next, open the SSH configuration file to enable this kind of authentication:

$ sudo nano /etc/ssh/sshd_config

Change the value of ChallengeResponseAuthentication from no to yes

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

Press CTRL + X then Y and Enter to save the changes to the file

Restart the SSH daemon:

$ sudo systemctl restart sshd.service

Step 5:
Test the configuration

You can now open a new terminal window and log on your Ubuntu server. This ensures that you can easily undo the changes from the first session in case there was a misconfiguration on the server.

When you log in this time, you will be prompted to enter a Verification code alongside your username and password. You need to retrieve the verification code from the Google Authenticator app:

This is a sample SSH prompt with two factor enabled

Using username "john".
Authenticating with public key "john"
Further authentication required
Using keyboard-interactive authentication.
Password: Enter your password here
Using keyboard-interactive authentication.
Verification code: Enter 2nd factor here
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-1009-gcp x86_64)

Conclusion

In this guide, we have taken you through the steps of enabling two-factor authentication on your Ubuntu 18.04 server. This will ensure that only a person with your password and the right security token can log in to your server and this adds a good layer of security. If you have followed the guide, you will be able to secure your server against malicious users.

Special Note: a key part of securing your server against malicious attacks is to have a hosting plan with a trusted and safe hosting company. On HostAdvice, you will find top VPS hosting and Dedicated server hosting providers that you can trust – complete with real user reviews.

Check out these top 3 VPS services:

Kamatera
$4.00 /mo
Starting price
Visit Kamatera
Rating based on expert review
  • User Friendly
    3.5
  • Support
    3.0
  • Features
    3.9
  • Reliability
    4.0
  • Pricing
    4.3
ScalaHosting
$2.95 /mo
Starting price
Visit ScalaHosting
Rating based on expert review
  • User Friendly
    4.8
  • Support
    4.3
  • Features
    4.4
  • Reliability
    4.8
  • Pricing
    4.5
Liquid Web
$5.00 /mo
Starting price
Visit Liquid Web
Rating based on expert review
  • User Friendly
    3.8
  • Support
    4.8
  • Features
    4.5
  • Reliability
    4.6
  • Pricing
    3.8

How to Install a Let’s Encrypt Certificate on your Ubuntu 18.04 Dedicated Server or VPS

If you are hosting your website on a VPS server running Ubuntu 18.04, we will sh
3 min read
Michael Levanduski
Michael Levanduski
Expert Hosting Writer & Tester

How to Setup Fail2ban on your Ubuntu 18.04 VPS Server or Dedicated Server

In this guide, we discuss the steps needed for setting up Fail2ban on your Linux
2 min read
Avi Ilinsky
Avi Ilinsky
Hosting Expert

How to Set Up SSH for your Ubuntu 18.04 VPS or Dedicated Server

This how-to article shows you how to create a public and a private key for acces
4 min read
Arvind Singh
Arvind Singh
Hosting Expert

How to Change Your SSH Port from the Default Port

Follow our step-by-step guide to change your SSH default port to a more secure o
3 min read
Idan Cohen
Idan Cohen
Marketing Expert
HostAdvice.com provides professional web hosting reviews fully independent of any other entity. Our reviews are unbiased, honest, and apply the same evaluation standards to all those reviewed. While monetary compensation is received from a few of the companies listed on this site, compensation of services and products have no influence on the direction or conclusions of our reviews. Nor does the compensation influence our rankings for certain host companies. This compensation covers account purchasing costs, testing costs and royalties paid to reviewers.
Click to go to the top of the page
Go To Top