VPSMATE

  • HOME
  • NEWS
  • VPS
  • DEDICATED
  • ARCHIVES
  • GoDaddy
  • SCRIPT
  • TOOLS
    • Traceroute
    • Benchmark
    • Useful Sites
  • Themes
  • GFW
VPSMATE
VPS COUPON & PROMOS | VPS & DEDICATED SERVERS OFFERS | VPS REVIEWS
  1. Main page
  2. Tutorials
  3. Main content

How To Protect SSH With Two-Factor Authentication

06/05/2014 6982hotness 0likes 0comments

VPSMATE_How To Protect SSH With Two-Factor Authentication

Table of Contents

  • Introduction
  • Step One – Install Dependencies
  • Step Two – Edit the Configuration Files
  • Step Three – Activate the Two-Factor Authentication For a User

Introduction


To protect your SSH server with an two-factor authentication, you can use the Google Authenticator PAM module. Every time you connect you have to enter the code from your smartphone.

Attention: If you activate the google-authenticator for a normal user but not for root you can't login with the root user directly anymore. You will need to login as the new user first, then switch to the super user with the su command to get root.

Before you do anything on your VPS, install the Google Authenticator application, it is available for Android, iOS and BlackBerry. Install the App using the market or use your mobile browser to go to m.google.com/authenticator. After this connect to your VPS and switch to the root user.

Step One - Install Dependencies


sudo apt-get install libpam-google-authenticator

libqrencode3 will be installed automatically and will allow you to use the camera of your phone to scan the qr-code directly from the console.

Step Two - Edit the Configuration Files


To use the module you have to edit two configuration files.

nano /etc/pam.d/sshd

Add the following line on top of the file:

auth required pam_google_authenticator.so

One more file to edit:

nano /etc/ssh/sshd_config

Find and change the following line:

ChallengeResponseAuthentication yes

Step Three - Activate the Two-Factor Authentication For a User


You can activate the google-authenticator for the root user or any other user. Switch to the user who should use the two-factor authentication and type in:

google-authenticator

You will be prompted to answer a few questions; answer the first two questions with yes (y):

Do you want authentication tokens to be time-based (y/n) y
Do you want me to update your "/home/USERNAME/.google_authenticator" file (y/n) y

You can answer the next questions according to your needs. You can use the Google Authenticator app to scan the qr-code, or add the account using the secret key and the verification code. Do not forget to print out the emergency scratch codes and store them in a safe place!

Now switch back to root and restart the SSH server. If you added the two-factor authentication for the root user you can skip the next step.

su root

Finally restart the SSH server.

/etc/init.d/ssh restart

That's it! You should now have a SSH server with an two-factor authentication!

Related

Tag: Nothing
Last updated:06/05/2014

kyaky

This person is a lazy dog and has left nothing

Like
< Last article
Next article >

Comments

Cancel

This site uses Akismet to reduce spam. Learn how your comment data is processed.

COPYRIGHT © 2021 vpsmate.net. ALL RIGHTS RESERVED.

Theme Kratos Made By Seaton Jiang