August 14, 2022

News and Update

Find out how to Allow SSH 2FA on Ubuntu Server 22.04

Picture: tete_escape / Adobe Inventory

Whenever you open your Linux server for SSH login, there may be all the time the chance that somebody can break into that server and do unhealthy issues. You don’t need that, however how do you forestall such a apply? A method is to allow two-factor authentication on the server. As soon as enabled, solely folks with a correctly generated 2FA code (together with their typical login credentials) can be granted entry.

How do you setup SSH 2FA in your Ubuntu Server? I’ll present you.

UNDERSTAND: Over 40 Linux and Open Supply Phrases you might want to know (TechRepublic Premium)

What you want

The one factor you might want to make this work is:

  • Working occasion of Ubuntu Server 22.04.
  • A consumer with sudo privileges.

That’s it – let’s do some 2FA magic.

Find out how to set up the required software program

The very first thing to do is set up a single package deal: Google Authenticator. It is a command line instrument that makes it doable so as to add 2FA authentication in your server.

Log in to your Ubuntu occasion and concern the command:

sudo apt-get set up libpam-google-authenticator -y

You’ll then have to run the command to generate the key key. That command is:


You may be requested in order for you the time-based auth token that you really want. Kind y and press Enter in your keyboard. You’ll then be supplied with a QR code that may be scanned by your 2FA app.

See also  Ooma vs Dialpad: Evaluate VoIP Options

There may be one downside to cope with: Should you log straight into the terminal of the bodily machine in query, you might not have the ability to see the complete code. Your greatest guess is to login by way of SSH, so you’ll be able to resize the terminal to see the complete QR code (Image A).

Image A

QR code (blurred) generated by google-authenticator app.

Scan the QR code along with your 2FA app (reminiscent of Authy) or enter the key key if the code is simply too giant for the app to scan and press enter. You’ll then be prompted to enter a code from the app so the account could be confirmed. After affirmation, you will note the emergency codes for 2FA. Make sure that to repeat and save them someplace protected reminiscent of a password supervisor after which kind y when prompted to replace the ~/.google_authenticator file. Subsequent, you’ll be prompted to disallow using the identical auth token greater than as soon as. Go forward and kind y settle for this, as it will possibly assist forestall man-in-the-middle assaults. When prompted, enter y for the final query to permit a most time distinction of 30 seconds between the auth server and the shopper.

You’ll additionally wish to allow fee limiting when prompted by typing y, which limits attackers to not more than three logins each 30 seconds.

Find out how to configure SSH daemon for 2FA

Now that 2FA is put in and configured, we should additionally configure the SSH daemon to make use of it. Open the SSH daemon configuration file with:

See also  Stay-Motion Loss of life Word adaptation for Netflix headed by Duffer Brothers

sudo nano /and so forth/ssh/sshd_config

First, find the next line and ensure it’s set to sure:

UsePAM sure

Subsequent, discover the next line and alter no to sure:

KbdInteractiveAuthentication no

Save and shut the file.

Word: In Ubuntu releases previous to 22.04, the above line can be:

ChallengeResponseAuthentication sure

Subsequent, open the PAM configuration file with:

sudo nano /and so forth/pam.d/sshd

Beneath the @embody common-auth line, add the next:

auth   required

Save and shut the file.

Restart the SSH daemon with:

sudo systemctl restart sshd

Subsequent, open a brand new terminal window and attempt to login to the distant machine. You’ll first be prompted in your consumer password after which prompted for a 2FA code. After efficiently coming into the 2FA code, you’ll be allowed to entry the server.

Find out how to Allow 2FA with SSH Key Authentication

Should you use SSH Key Authentication (and you must), you need to take an additional step. On the server, open the SSH daemon configuration file with:

sudo nano /and so forth/ssh/sshd_config

On the finish of that file, add the next line:

AuthenticationMethods publickey,keyboard-interactive

Save and shut the file.

Restart SSH with:

sudo systemctl restart sshd

After getting verified SSH Key Authentication works, you’ll be able to disable password authentication by opening the SSH configuration with:

sudo nano /and so forth/ssh/sshd_config

Find the next line:

PasswordAuthentication sure

Turn into:

PasswordAuthentication no

Restart SSH with:

sudo systemctl restart sshd

Congratulations, you have got simply configured Ubuntu Server 22.04 for a way more safe SSH login course of. Simply ensure that whenever you do that, you might be testing by a second terminal window, so you’ll be able to keep logged in to the unique if there are any points (and you may reset configuration). Get pleasure from that further layer of safety.

See also  A Microsoft government simply revealed why nobody would need a profession at Microsoft

Subscribe to TechRepublic’s Find out how to make expertise work on YouTube for all the newest tech recommendation for enterprise professionals from Jack Wallen.