Secure SSH with Google Authenticator on Ubuntu

This article explains what Google Authenticator is and provides a straightforward, step-by-step guide on how to use it to add multi-factor authentication (MFA) to SSH on Ubuntu Linux. By implementing this setup, you will secure your server against unauthorized access by requiring both an SSH key or password and a time-sensitive verification code from your mobile device.

What is Google Authenticator?

Google Authenticator is a software-based authenticator that implements Time-based One-Time Password (TOTP) multi-factor authentication. It generates a temporary, six-digit verification code that changes every 30 seconds. By linking this app to your Ubuntu server, you ensure that even if an attacker steals your SSH password or private key, they cannot gain access without physical possession of your mobile device.

Step 1: Install the Google Authenticator PAM Module

Ubuntu uses Pluggable Authentication Modules (PAM) to handle user authentication. You must install the Google Authenticator PAM module to integrate the TOTP mechanism with your system.

Connect to your Ubuntu server via SSH and run the following commands:

sudo apt update
sudo apt install libpam-google-authenticator -y

Step 2: Configure Google Authenticator for Your User

Once installed, run the configuration initialization tool in your terminal.

google-authenticator

The system will ask you a series of questions. Respond to them as follows:

1. Do you want authentication tokens to be time-based?
   Type y (yes). This ensures your codes change every 30 seconds.
2. Scan the QR Code:
   A large QR code will appear in your terminal. Open the Google Authenticator app on your smartphone, tap the + icon, select Scan a QR code, and scan the terminal screen. If the QR code does not render correctly, manually enter the secret key displayed below the code.
3. Write down your emergency scratch codes:
   Below the QR code, you will see a list of five-digit emergency scratch codes. Write these down and store them in a secure place. If you lose your phone, these codes are the only way to log back into your server.
4. Update your configuration file?
   Type y (yes) to save the settings to your profile (~/.google_authenticator).
5. Disallow multiple uses of the same token?
   Type y (yes). This prevents man-in-the-middle attacks.
6. Extend the login window?
   Type n (no) to keep a tight 30-second window, or y (yes) if you frequently experience time synchronization issues between your phone and server.
7. Enable rate-limiting?
   Type y (yes) to restrict login attempts to 3 times every 30 seconds, protecting you against brute-force attacks.

Step 3: Configure PAM for SSH

Now you must configure the SSH daemon to use the PAM module you just installed and configured.

Open the PAM configuration file for SSH using a text editor:

sudo nano /etc/pam.d/sshd

Add the following line at the bottom of the file:

auth required pam_google_authenticator.so

Note: If you want to allow users who have not set up Google Authenticator to still log in using only their password, append nullok to the end of the line: auth required pam_google_authenticator.so nullok.

Save and close the file (in Nano, press Ctrl+O, Enter, then Ctrl+X).

Step 4: Configure the SSH Daemon

Next, instruct the SSH daemon to request the multi-factor authentication code.

Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Locate the following parameters and ensure they are configured as shown below. If they are commented out with a #, remove the #.

• Set KbdInteractiveAuthentication (or ChallengeResponseAuthentication on older Ubuntu versions) to yes:

  KbdInteractiveAuthentication yes

• Ensure UsePAM is enabled:

  UsePAM yes

If you use SSH Keys for authentication:

By default, SSH keys bypass password and PAM authentication. To require both an SSH key and a Google Authenticator verification code, append the following line to the end of the /etc/ssh/sshd_config file:

AuthenticationMethods publickey,keyboard-interactive

Save and close the file.

Step 5: Restart the SSH Service

Apply the changes by restarting the SSH daemon:

sudo systemctl restart ssh

Crucial: Do not close your current terminal window yet. Open a new terminal window to test the connection first, ensuring you do not lock yourself out if there is a configuration error.

Step 6: Test the Configuration

Open a new terminal window and attempt to log into your Ubuntu server via SSH:

ssh username@your_server_ip

If you configured SSH keys with MFA, the server will authenticate your private key first, and then prompt you for the verification code:

Verification code:

Enter the 6-digit code currently displayed in your mobile Google Authenticator app. Once entered correctly, you will be granted access to the server.