Two Factor Autentication with Linux (2FA)
The Google 2 Factor Authentication makes it possible to protect your headless servers under Linux.
To install two factor authentication (2FA) from google on Linux, follow these steps on a command line Debian or Ubuntu machine:
Login with your account and do the installation of the authenticator with
sudo apt install libpam-google-authenticator
Configure pam with sudo nano /etc/pam.d/common-auth and add the following line at the end of the file:
auth required pam_google_authenticator.so nullok
The NULLOK option gives the option to login without a 2FA code as long a user has not setup 2FA. For the sake of security try not to use this option.
The next step is to configure SSH to be able to login remotely. If you don’t configure this you won’t be able to ssh to your server anymore.
Enable the PAM module by editing nano /etc/pam.d/sshd and make sure that @include common-auth
is at the end of the file. The comment usually will be at the top of the file. If you have to login twice you have the argument two times!
Set the follwoing lines ChallengeResponseAuthentication yes and UsePAM yes in /etc/ssh/sshd_config.
Do a systemctl restart sshd or service sshd restart
You now have 2 Factor Authentication enabled.
NOTE: By putting the PAM module at the end of the file you will have the challenge after you have entered the password. If you like to first have the challenge, put the 2fa PAM module before the password.
You now have to configure 2FA for every user who needs access to the system. Start configuring your own user and then all other users by doing the following:
Type in the command google-authenticator
Type Y for the fist question
Write down the settings which will be presented (make sure you store them in a save place). These are the rescue settings if you don't get in anymore. Parallel to that open the Google Authenticator on you phone and enter the new settings directly into your Authenticator Settings on your phone. Give it a name (it doesn't have to be an e-mail address) and enter the code you have written down.
Answer the rest of the questions with Y unless you like to deviate.
Repeat this for every user and don’t forget your root user!
Do not logoff before you have tested this configuration! Open a new window and try your new settings.
If everything is working correctly you now have a new level of security.
NOTE: It is possible to have multiple servers using the same code generated by your phone without adding multiple accounts. Simply replace the content of the file /root/.google_authenticator or /home/your_user/.google_authenticator after you have installed and configured the authenticator of the new server.
To use the Google 2 Factor Authenticator also in your Webmin do the following:
nano /etc/webmin/miniserv.conf and add the line at the end of the file pam_conv=1
Then do:
nano /etc/pam.d/webmin auth required pam_google_authenticator.so
Restart the Webmin Service with:
service webmin restart or systemctl restart webmin
Shoud you have any login problems in Webmin, reset your password with:
cd /usr/share/webmin ./changepass.pl /etc/webmin/ username password systemctl restart webmin
If you like to disable 2FA, just comment out auth required pam_google_authenticator.so nullok
in /etc/pam.d/common-auth.
USE THIS IF YOU JUST WANT TO HAVE SSH 2FA AUTHENTICATION
*If you just want to enable 2FA for ssh not interfering with other applications do the following:*
apt install libpam-google-authenticator -y
google-authenticator
answer with Yes - Yes - Yes - No - Yes
If you want to use a common code for all your machines alter it:
nano /root/.google_authenticator
and replace the code according to your other servers at the top of the file
nano /etc/pam.d/sshd @include common-auth auth required pam_unix.so no_warn try_first_pass auth required pam_google_authenticator.so
nano /etc/ssh/sshd_config ChallengeResponseAuthentication yes PasswordAuthentication yes AuthenticationMethods keyboard-interactive UsePAM yes
service ssh restart
Thas all.
Enjoy,
Your ArtIT Team
BACK