If you’re looking to add an extra layer of iron clad security to your Linux server, there are few better options than two-factor authentication. In this guide, we’ll show you how to install Google PAM for SSH authentication.


    Step #1 – Configure Google PAM


    First, lets update Ubuntu’s aptitude cache:


    sudo apt-get update


    Next we’ll get and install Google LibPAM:


    sudo apt-get install libpam-google-authenticator -y


    Well that was easy, wasn’t it?


    Initial Configuration for Google PAM


    Now that we’ve got PAM installed, let’s start the application:




    At this point, you’ll be presented with a number of initial configuration options. Let’s walk through these. First you’ll be asked if you want to use the time-based option for authentication tokens. Selecting no here would configure the module to use sequential tokens, which isn’t terribly compatible and might equate to a less than ideal first experience, so let’s choose Y here to avoid that:


    Do you want authentication tokens to be time-based (y/n) y


    In order to install Google PAM, you’ll need to answer yes on this one so that the authentication token is written and the program won’t terminate, so answer Y:


    Do you want me to update your "~/.google_authenticator" file (y/n) y


    Unless you’re a fan of replay attacks, you’ll probably want to disable multiple uses of the same auth token in this next step, so select Y here:


    Do you want to disallow multiple uses of the same authentication
    token? This restricts you to one login about every 30s, but it increases
    your chances to notice or even prevent man-in-the-middle attacks (y/n) y


    On this one you won’t want to answer yes unless you’d like to give hackers a broader window for gaining access. So you’ll probably want to answer no, which configures the application to allow only 3 login attempts ever 30 seconds. Answer N:


    By default, tokens are good for 30 seconds and in order to compensate for
    possible time-skew between the client and the server, we allow an extra
    token before and after the current time. If you experience problems with poor
    time synchronization, you can increase the window from its default
    size of 1:30min to about 4min. Do you want to do so (y/n) n


    By confirming rate-limiting, you’ll limit attackers to a certain number of attempts before they’re blocked, which is a good thing and (assuming you haven’t previously setup a rate-limiting policy for SSH) this will definitely bolster your security level. Answer Y:


    If the computer that you are logging into isn't hardened against brute-force
    login attempts, you can enable rate-limiting for the authentication module.
    By default, this limits attackers to no more than 3 login attempts every 30s.
    Do you want to enable rate-limiting (y/n) y


    Great! Now you’ve got Google PAM installed so it’s on to the configuration!


    Configuring PAM with SSH


    Let’s crack open the PAM configuration file using Nano:


    sudo nano /etc/pam.d/sshd


    Right below the line @include common-password, add the following to require PAM and allow null:


    auth required pam_google_authenticator.so nullok


    Close out the file and save it.


    Now let’s make an edit to the SSHD configuration:


    sudo nano /etc/ssh/sshd_config


    Locate the line that reads ChallengeResponseAuthentication and ensure it’s set to yes:


    # Change to yes to enable challenge-response passwords (beware issues with
    # some PAM modules and threads)
    ChallengeResponseAuthentication yes


    Close and save your edit and restart the SSHD service:


    service sshd restart


    Now we’ll re-edit the SSHD configuration:


    sudo nano /etc/ssh/sshd_config


    Look for he line that reads UsePAM yes and add he following line below it to set the authentication mehod to SSH key, then either a password or verification code:


    UsePAM yes
    AuthenticationMethods publickey,password publickey,keyboard-interactive


    Now we’ll re-edit the PAM configuration file as well:


    sudo nano /etc/pam.d/sshd


    Locate the line # Standard Un*x authentication. and right below it, uncomment the line #@include common-auth by removing the # so that it looks like this:


    # Standard Un*x authentication.
    @include common-auth


    Close out of the file and save it and restart SSH again:


    Now for he fun part! Open a new SSH session. If all went well, you should now be prompted for a verification code after you SSH key is accepted.


    Assuming all went well with your test – that’s it, you’re done!


    • Show Comments (0)

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    comment *

    • name *

    • email *

    • website *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Support our site

    If you find this site helpful, please consider using our affiliate links. Ayrne may earn a small commission from your purchase, but it won’t cost you anything at all and in some cases, it may even save you money! We use affiliate links instead of banner ads to provide you with a cleaner, more focused experience on our website.

    You May Also Like

    How to Install Redis Server on Ubuntu 16.04 with WordPress

    The quick easy and totally correct way to setup Redis object cache to work ...

    How to Export a List of Mail Items Within Folders (Exchange/O365)

    This quick, easy to follow guide will help you to export a CSV file ...

    How to Ban Browser Cookies

    The quick easy way to turn off cookies from your browser: Chrome, Safari, Edge, ...