How To Setup Multi-Factor Authentication For SSH In Linux
It is important that a strong layer of security be implemented across all layers of the technology stack. In this article, we are going to see one such security implementation for ssh using multi-factor authentication.
SSH, stands for Secure Shell, is a network protocol that allows users to connect to the remote machines (servers) and access resources.
The ssh protocol implements two types of security namely Password-based authentication, and Key-based authentication.
Key-based (public -> private) authentication is considered more secure compared to password-based authentication and most SSH hardening instructions recommended disabling password-based authentication and enabling only key-based authentication.
Irrespective of what authentication mechanism you choose, you can make ssh more secure by implementing a multi-factor authentication setup.
Install Google Authenticator
First Install the Google Authenticator app on your Android or IOS devices through the playstore/Itunes.
Now, install Google Authenticator app on your Linux system.
Depending upon your distribution, run the following installation commands.
In Ubuntu and its derivative distributions run the following command.
$ sudo apt install libpam-google-authenticator
In RHEL based distributions run the following command.
$ sudo dnf install google-authenticator -y
For Arch based distribution run the following command.
$ sudo pacman -S libpam-google-authenticator
Generate Initial Token For A User
As the first step in setting up MFA, you have to run the following command from your terminal. This will take care of the initial setup by generating the TOTP key. This key is for the user who is running the command and is not applicable to all users in the system.
$ google-authenticator
There are some sequence of steps where you will be prompted with the (y/n) option.
STEP 1 - It will prompt you to choose time-based authentication tokens. Time-based authentication tokens will generate a new code every 30 seconds. Press "y" to continue.
STEP 2 - Secret token will be generated along with a QR code. Open the Google Authenticator mobile app and scan the QR code or manually type the secret key to register the device. Once it is done, now the app will start generating tokens every 30 seconds.
STEP 3 - In this step, it will prompt you to update the .google_authenticator file under your home directory. All the secret keys, verification code, emergency scratch codes are saved in this file. Press "y" to continue.
STEP 4 - Choosing "y" in this step will expire the token immediately once you have used it to authenticate. In this case, even if some hackers get your token, it will be expired.
STEP 5 - This step decides how many tokens will be allowed and the time frame. When I choose "n", it will allow for 3 tokens in a 90 seconds window. If I press "y", it will allow 17 tokens in a 240 seconds time window.
STEP 6 - This step will ask you to enable rate-limiting. Rate limiting allows an attacker to try only 3 login attempts every 30 seconds. If the tokens are wrong then they have to wait for N time to try again.
We have completed the first step. Open the file ~/.google_authenticator and you can find all the settings and secret codes we made through all these steps.
$ cat ~/.google_authenticator
You can also pass arguments to the google-authenticator command which will create the keys and other settings without going through this sequence of steps.
$ google-authenticator -q -t -d -f -r 3 -R 30 -w 3
Refer the Google authenticator help section to find what those arguments will do.
$ google-authenticator –-help
Configure SSH For Multi-Factor Authentication
We have to make some configuration changes to openSSH so we can start using MFA.
Run the following commands to back up the SSH config files.
$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup $ sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.backup
First, enable SSH to use MFA by setting ChallengeResponseAuthentication option to "yes".
Next, edit the /etc/pam.d/sshd file:
$ sudo vi /etc/pam.d/sshd
And add the following lines to the bottom of the file.
auth required pam_google_authenticator.so nullok auth required pam_permit.so
If you wish to make MFA mandatory for all users, then remove the word "nullok".
Restart the ssh service to make the changes effective.
$ sudo systemctl restart sshd
Test Two Factor Authentication
It’s time to test if the changes we made are effective.
Connect to the server via SSH and you will be asked for a password as the first factor followed by a verification code as the second-factor authentication as shown in the below image.
$ ssh username@hostname/IPaddress
Once you entered the SSH password and the verification code, you will able to login.
Did you remember that we have not enabled MFA as mandatory for all users? Let's test it and see if I am able to connect with another user where I do not have generated and set up tokens.
I have a testuser and I am able to connect successfully without prompting for verification code.
See? I can able to login without the verification code as well.
Multi-Factor Authentication For Key Based Authentication
If you have set up a key-based authentication, then you will not be promoted for the password or verification codes. Why?
Because, by default ssh uses public-key authentication first and if there is a key found then it authenticates using that. In case the key is not found, it will use password-based authentication.
You can use verbose mode to check this.
$ ssh -v username@hostname/IPaddress ## With verbose
Add the following line to the bottom /etc/ssh/sshd_config file:
AuthenticationMethods publickey,password publickey,keyboard-interactive
Next open /etc/pam.d/sshd and comment out the following line.
If you are not commenting out "@include common-auth", then it will enable more than two factors to authenticate. It will first authenticate using keys followed by password and tokens. All I need is a key and token for my authentication, so I am disabling it.
Restart the sshd service and test out if the changes work fine.
$ sudo systemctl restart sshd
Now If I try to connect, it uses public-key as the first factor and verification code as the second factor to authenticate.
Recovery Steps
There may be scenarios where you may lose or change your mobile device. In that case, you have to reinstall the google-authenticator application and register the secret key to start generating tokens.
If you are locked out of the system, then you have to reach out to your system administrator to provide you with new secret keys to register and use it. But there is an alternative approach where you can log in and generate keys on your own.
Remember the codes that are generated during the initial step? You can use the emergency scratch code as a token to log in. Each scratch code can be used only once. Save it someplace safe so it can be used when needed the most.
The codes are saved in ~/.google_authenticator file.
$ cat ~/.google_authenticator
You can now regenerate your own keys again by running the following command.
$ google-authenticator
Conclusion
As an administrator, you can also write bash scripts to automate the process of generating the secret keys and share it with the user. You should also harden the ssh before setting up MFA, so your system is more secure.
