Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

How to Setup Multi-Factor Authentication for SSH in Linux

  • June 22, 2021
  • 8 min read
IT Engineer and Technical Author. Karim is specializing in Linux, he is a prolific blogger who writes for various websites.
IT Engineer and Technical Author. Karim is specializing in Linux, he is a prolific blogger who writes for various websites.


The importance of systems security cannot be denied in the field of information security. Taking effective preventive measures helps you safeguard your systems from unauthorized access. There are many traditional ways to make your systems secure by using strong passwords, private keys, or by using token-based authentication but adding multiple layers of security makes your systems more secure and prevents unauthorized access.

In this article, we are going to show how you can add an additional layer of security to your systems by using Multi-Factor Authentication. In Multi-Factor Authentication users have to provide more than one verification in the form of tokens generated by a third-party application. Multi-Factor Authentication can be applied to any application that requires login information but in this tutorial, we will be covering the steps for SSH in Linux. There are many applications available to provide token-based authentication, like Google Authenticator and FreeOTP. We will be using Google Authenticator in this article.

Prerequisites:

The basic requirements to perform this task is to have a Linux system running RHEL/CentOS with sudo rights with internet access to install the required authenticator and remote ‘ssh’ access on the server.

Let’s log in to your system and update with the latest repositories.

Make sure that it has EPEL repo installed as well if not then you can install it by using the below command.

Install Google Authenticator:

To install Google Authenticator in your system, run the command below on your system.

To confirm the package installation type ‘y’ to continue.

Confirm the package installation

Configure Google-Authenticator:

Once you have installed the package, we need to configure its first by using the command below on your system.

Next, you need to confirm if authentication tokens to be time-based.

Google-authenticator

In the furthermore configuration settings, you will be asked about some more settings to disallow multiple uses of the same authentication token and to enable rate-limiting for the authentication module. Select your parameters as ‘yes’ for all to continue.

Select your parameters

Configure PAM SSH for OTP CODE:

After the installation and configuration of Google Authenticator, now we are going to configure it with the OpenSSH PAM to use OTP code using the PAM sshd configurations.

In Linux systems, PAM stands for Pluggable Authentication Module which is used for authentication.

Before making any changes in the original configuration file, first, make sure to take its backup and then open it using your editor to make the required changes.

Adding this line in the pam sshd configuration allows it to be used with Google Authenticator for OTP code generation.

If you want to disable password authentication then comment out the below line in the same pam sshd conf file.

Save and Close the configuration file after making the required changes.

Configure SSH for OTP Display:

In order to get the OTP (One time Pass) work, we need to make some configuration parameter changes in the OpenSSH configuration file as below.

Updating the ChallengeResponseAuthentication from ‘no’ to ‘yes’ will let the ssh to ask for the OTP response code.

After making the required changed, save and close the file and run the command to restart sshd service.

Configure SSH for OTP Display

Testing Multifactor SSH Authentication:

Once we are done with all required configurations update, let’s test it by creating a duplicate session where you will be asked for the password first and then the OTP verification as shown below.

Testing Multifactor SSH Authentication

You will get the verification code on your Google Authenticator Android Mobile App, upon successful verification you will gain access to your system.

Conclusion:

By the end of this article, you have learned about setting up the multi-factor authentication for ssh using the Google Authenticator. Now, every time a user needs to log in on their system, they need to enter the password first and then be required to provide the OTP verification key, which makes your system more secure. It makes it really difficult for hackers to gain the system’s access because of Multi-Factor Authentication.

Found Karim’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!