ArtIT Wiki

User Tools

Site Tools

Trace: install_lamp_server skycloud_users_error open_windows_xp_backup 2fa_linux
2fa_linux

This is an old revision of the document!

Two Factor Autentication with Linux (2FA)


The Google 2 Factor Authentication makes it possible to protect your headless servers under Linux.

To install two factor authentication (2FA) from google on Linux, follow these steps on a command line Debian or Ubuntu machine:

Login with your account and do the installation of the authenticator with

sudo apt install libpam-google-authenticator

Configure pam with sudo nano /etc/pam.d/common-auth

and add the following line at the end of the file:

auth required pam_google_authenticator.so nullok

The NULLOK option gives the option to login without a 2FA code as long a user has not setup 2FA. For the sake of security try not to use this option.

The next step is to configure SSH to be able to login remotely. If you don’t configure this you won’t be able to ssh to your server anymore.

Enable the PAM module by editing

sudo nano /etc/pam.d/sshd

and make sure that

@include common-auth

is at the end of the file and commented out. The comment usually will be at the top of the file. If you have to login twice you have the argument two times!

Next head over to

sudo nano /etc/ssh/sshd_config

and set the follwoing ines

ChallengeResponseAuthentication yes

UsePAM yes

Do a

sudo systemctl restart sshd

or

sudo service sshd restart

You now have 2 Factor Authentication enabled.

NOTE: By putting the PAM module at the end of the file you will have the challenge after you have entered the password. If you like to first have the challenge, put the 2fa PAM module before the password.

You now have to configure 2FA for every user who needs access to the system. Start configuring your own user and then all other users by doing the following:

  • Type in the command google-authenticator
  • Type Y for the fist question

Write down the settings which will be presented (make sure you store them in a save place). These are the rescue settings if you don't get in anymore. Parallel to that open the Google Authenticator on you phone and enter the new settings directly into your Authenticator Settings on your phone. Give it a name (it doesn't have to be an e-mail address) and enter the code you have written down.

Answer the rest of the questions with Y unless you like to deviate. Repeat this for every user and don’t forget your root user!

Do not logoff before you have tested this configuration! Open a new window and try your new settings.

If everything is working correctly you now have a new level of security.

NOTE: It is possible to have multiple servers using the same code generated by your phone without adding multiple accounts. Simply replace the content of the file /root/.google_authenticator or /home/your_user/.google_authenticator after you have installed and configured the authenticator of the new server.

Enjoy,

Your ArtIT Team

BACK

2fa_linux.1556814769.txt.gz · Last modified: 2019/05/02 18:32 by admin