In this section, we will learn how to secure your ssh connection with MFA using Google authenticator app.
Before we start go ahead and download the google authenticator app to your mobile device.
After you successfully downloaded and install the google authenticator app on your mobile device go to your Linux server and install the google-authenticator PAM module by typing this command:
swarm@swarm3:~$ sudo apt install libpam-google-authenticator Reading package lists... Done Building dependency tree Reading state information... Done libpam-google-authenticator is already the newest version (20191231-2). 0 upgraded, 0 newly installed, 0 to remove and 75 not upgraded
After the installation complete type following command:
- Follow the instructions and scan the bar-code by your google authenticator mobile app
- You can type yes for every question that you encounter during the process of setting up the Google authentication app
- After completion save the emergency scratch codes in a secure location, you will need it in case you lose your phone
- You can do this process for every user on your Linux server.
Now we will need to enable “ChallengeResponseAuthentication” in the ssh config file.
swarm@swarm3:~$ sudo vi /etc/ssh/sshd_config # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes
Don’t forget to save the file by pressing :qw
Restart the SSH service:
swarm@swarm3:~$ sudo systemctl restart ssh
The final step is to add the google authentication module to the PAM ssh config file:
swarm@swarm3:~$ sudo vi /etc/pam.d/sshd
Add this line to the end of the config file and save the file:
auth required pam_google_authenticator.so
That’s it, now you can ssh to your server using google authentication
Verfication code: Enter the code that presented in your google authenticator app in your mobile device.