Setup Google Authenticator on Ubuntu/CentOS and Enable 2-Factor Authentication/Multi-Factor Authentication

☰ In this chapter, you will learn

These days, server security is incredibly important due to numerous hacking attempts. Attackers try various methods to bypass your server security and gain access. Therefore, protecting your server against these attacks is crucial.

There are several tips to enhance server security but configuring Two-Factor Authentication (2FA)/Multifactor Authentication (MFA) or OTP-based login is the most crucial step.

Simply setting up Public/Private key based SSH access isn't sufficient. To further secure server access, it's essential to add an extra layer of security, such as combining password and OTP-based authentication with key-based access.

In this guide, we will explain how you can set up Google Authenticator with your Ubuntu or CentOS Server.

1Install Google Authenticator Module

Ubuntu

sudo apt-get update
$sudo apt-get install libpam-google-authenticator

CentOS

sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$sudo yum install google-authenticator

2Configure Google Authenticator

After installing Google Authenticator Module, you need to configure it.

google-authenticator
Do you want authentication tokens to be time-based (y/n) y



Your new secret key is: WGO6UK44JR9JPT8HW3O265KQZ5
Enter code from app (-1 to skip):

Enter code from app (-1 to skip): 532148
Code confirmed
Your emergency scratch codes are:
  77245373
  5396474
  2470493
  48504174
  3605051

Do you want me to update your "/home/smith/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

Congratulations! You have successfully set up the Google Authenticator app on your Linux server.

3Connect SSH with Google Authenticator PAM Module.

Allow SSH to use Google Authenticator PAM Module. Open /etc/pam.d/sshd file and add the following line at the end.

If you want to force all the users to require OTP, add this command at the end of the file.

If you want to allow another user who hasn't configured 2FA/MFA, add this line at the end of the file. It will not prompt for OTP for users who haven't set up Google Authenticator.

Example

sudo vi /etc/pam.d/sshd
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate

# Standard Un*x password updating.
@include common-password
# auth required pam_google_authenticator.so nullok
auth required pam_google_authenticator.so

4Configure sshd_config file

Now, configure /etc/ssh/sshd_config file to start Google Authentication.

sudo vi /etc/ssh/sshd_config
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication no

sudo vi /etc/ssh/sshd_config
# This is the sshd server system-wide configuration file.
# See sshd_config(5) for more information.

AuthenticationMethods publickey,keyboard-interactive

If you want to configure two factor authentication only for specific user, add the following line in the sshd_config file.

sudo vi /etc/ssh/sshd_config
# This is the sshd server system-wide configuration file.
# See sshd_config(5) for more information.

Match user <username>
    AuthenticationMethods publickey,keyboard-interactive

5Test the 2FA/MFA using Google Authenticator

After configuring all the settings above, it's time to test 2FA/MFA. Login to your server using SSH, and you will notice that after providing the passphrase of the key-pair value, you will be asked for further authentication, such as the user's password and the OTP generated by the authenticator app on your mobile phone.

>ssh [email protected]
Enter passphrase for key 'C:\Users\Prashant/.ssh/id_rsa': Enter PassPhrase
    ([email protected]) Password: Enter Password
    ([email protected]) Verification code: Enter TOTP
    Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.146.1-microsoft-standard-WSL2 x86_64)

What to do If lost Authenticator App/OTP

On a bad day, you might lose your Authenticator app or your mobile phone, leaving you unable to access your server. In such unfortunate situations, you'll need to know how to regain access to your server.

In this situation, you can use your Emergency Code at the place of TOTP to access your server if Two-Factor Authentication is enabled and you lose access to the Authenticator app.

Summary

It's crucial to set up 2-Factor Authentication or Multi-Factor Authentication on your Ubuntu/CentOS server. This article explains how to install and configure Google Authenticator on your Linux server.