If you’re looking to add an extra layer of iron clad security to your Linux server, there are few better options than two-factor authentication. In this guide, we’ll show you how to install Google PAM for SSH authentication.

 

Step #1 – Configure Google PAM

 

First, lets update Ubuntu’s aptitude cache:

 

sudo apt-get update

 

Next we’ll get and install Google LibPAM:

 

sudo apt-get install libpam-google-authenticator -y

 

Well that was easy, wasn’t it?

 

Initial Configuration for Google PAM

 

Now that we’ve got PAM installed, let’s start the application:

 

google-authenticator

 

At this point, you’ll be presented with a number of initial configuration options. Let’s walk through these. First you’ll be asked if you want to use the time-based option for authentication tokens. Selecting no here would configure the module to use sequential tokens, which isn’t terribly compatible and might equate to a less than ideal first experience, so let’s choose Y here to avoid that:

 

Do you want authentication tokens to be time-based (y/n) y

 

In order to install Google PAM, you’ll need to answer yes on this one so that the authentication token is written and the program won’t terminate, so answer Y:

 

Do you want me to update your "~/.google_authenticator" file (y/n) y

 

Unless you’re a fan of replay attacks, you’ll probably want to disable multiple uses of the same auth token in this next step, so select Y here:

 

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

 

On this one you won’t want to answer yes unless you’d like to give hackers a broader window for gaining access. So you’ll probably want to answer no, which configures the application to allow only 3 login attempts ever 30 seconds. Answer N:

 

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

 

By confirming rate-limiting, you’ll limit attackers to a certain number of attempts before they’re blocked, which is a good thing and (assuming you haven’t previously setup a rate-limiting policy for SSH) this will definitely bolster your security level. Answer Y:

 

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

 

Great! Now you’ve got Google PAM installed so it’s on to the configuration!

 

Configuring PAM with SSH

 

Let’s crack open the PAM configuration file using Nano:

 

sudo nano /etc/pam.d/sshd

 

Right below the line @include common-password, add the following to require PAM and allow null:

 

auth required pam_google_authenticator.so nullok

 

Close out the file and save it.

 

Now let’s make an edit to the SSHD configuration:

 

sudo nano /etc/ssh/sshd_config

 

Locate the line that reads ChallengeResponseAuthentication and ensure it’s set to yes:

 

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

 

Close and save your edit and restart the SSHD service:

 

service sshd restart

 

Now we’ll re-edit the SSHD configuration:

 

sudo nano /etc/ssh/sshd_config

 

Look for he line that reads UsePAM yes and add he following line below it to set the authentication mehod to SSH key, then either a password or verification code:

 

UsePAM yes
AuthenticationMethods publickey,password publickey,keyboard-interactive

 

Now we’ll re-edit the PAM configuration file as well:

 

sudo nano /etc/pam.d/sshd

 

Locate the line # Standard Un*x authentication. and right below it, uncomment the line #@include common-auth by removing the # so that it looks like this:

 

# Standard Un*x authentication.
@include common-auth

 

Close out of the file and save it and restart SSH again:

 

Now for he fun part! Open a new SSH session. If all went well, you should now be prompted for a verification code after you SSH key is accepted.

 

Assuming all went well with your test – that’s it, you’re done!

Tags:

About the Author
Founder , Ayrne
I am an artist, traveler, and lover of the beauty of life
  • Show Comments (0)

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of

Support our site

If you find this site helpful, please consider using our affiliate links. Ayrne may earn a small commission from your purchase, but it won’t cost you anything at all and in some cases, it may even save you money! We use affiliate links instead of banner ads to provide you with a cleaner, more focused experience on our website.