Ubuntu Server enables SSH Multi-authentication method

Source: Internet
Author: User
Tags current time ssh

As you know, SSH defaults to authentication by default, even if you use an SSH key instead of a password. As a single factor in the way of authentication, once the key leaks, the same will also compromise the security of the server.

To address this issue, we will show you how to enable SSH multi-authentication for Ubuntu Server (mfa,multi-factor authentication). When enabled, you need to verify that you have a different authentication factor for your computer or mobile phone when you log on to SSH to successfully log on. Of course, multiple authentication factors can include:

Password or security issues

Validator or security token

Fingerprint or voice


A common way to authenticate is to use a OATH-TOTP application, such as Google authenticator (which is the two-step verification feature of Microsoft account). OATH-TOTP (one-time open password based on time) is an open protocol that is used to generate a different one-time-use password, typically a 6-bit captcha for every 30 seconds.

Below we will explain how to use the OATH-TOTP application to complete SSH login authentication, so as to replace the system's original SSH password or key authentication mode, make server management more secure.

Install Libpam-google-authenticator

In this step, we will install and configure Google PAM.

Friends familiar with the Linux authentication system know that PAM is the infrastructure and authentication module that authenticates the user in the Linux system. Google has developed OATH-TOTP applications that are also securely compatible with PAM, so we can use Google Authenticator to complete SSH multiple authentication.

1. Update the Ubuntu software warehouse cache with the following command:

sudo apt-get update

2. Install Google PAM:

sudo apt-get install Libpam-google-authenticator

Once the Libpam-google-authenticator is installed, we need to generate TOTP key for each user who is going to be authenticated. This Key is generated on a user basis, not the system global. That is, users who want to use the TOTP authentication program to log on to SSH must individually acquire and maintain their own keys.


After you execute the above command, the program asks a question, and the first question is whether to generate a time based authentication token. Google PAM supports time-based or sequential access tokens. When using a sequence based token, the token code is incremented for each access, and the time based access token changes randomly over a certain period of time and is more like Google authenticator, so we choose yes here.

Do your want authentication tokens to be time-based (y/n) y

After answering the first question, a large amount of information is immediately exported. Includes QR code, new security password, verification code, and 5 8-bit emergency codes. This information must be kept properly and is very important.

At this point please use Google Authenticator scan output two-dimensional code to add it to Google's OATH-TOTP application, once added success, will appear a new entry and refresh every 30 seconds a 6-digit token.

The rest is to tell Google PAM how to work, and we'll look at it step-by-step.

Do and want me to update your "~/.google_authenticator" file (y/n) y

Indicates that the key and configuration options are written to the. google_authenticator file, and we choose Yes.

Do your want to disallow multiple uses of the same authentication

Token? This is restricts to one login about every 30s, but it increases

Your chances to notice or even prevent man-in-the-middle attacks (y/n) y

If the password used is configured to expire immediately, yes is usually selected here to prevent interception.

By default, tokens are good of seconds and in order to compensate for

Possible time-skew between the client and the server, we allow an extra

Token before and after the current time. If you are experience problems with poor

Time synchronization, your can increase the window from its default

Size of 1:30min to about 4min. Do and want to does so (y/n) n

The default token has a valid time of 30 seconds and automatically compensates for the difference between the server and the client, which indicates whether the time tolerance is changed to 4 minutes, and we select No.

If the computer that you are logging into isn ' t hardened against

Login attempts, you can enable rate-limiting for the authentication module.

By default, this limits attackers to no more than 3 login attempts every 30s.

Do your want to enable rate-limiting (y/n) y

Whether to limit 30 seconds to only 3 attempts to log in, we choose Yes to prevent people from violent cracking.

After completing these steps, all of Google PAM's configuration work has been completed.

Configure OpenSSH support MFA

Next, we're going to configure SSH to use TOTP key, which tells SSH to use Google PAM for authentication.

1. At the end of the/etc/pam.d/sshd file, add the following:

Auth Required pam_google_authenticator.so Nullok

The final Nullok is to tell PAM this authentication is optional, at which point the user can still log in using the SSH password and key. When we test the use of OATH-TOTP key to log in correctly, the Nullo can be deleted to indicate the forced use of MFA.

2. Next we need to configure SSH support this way of authentication. Edit the/etc/ssh/sshd_config configuration file, configure the challengeresponseauthentication to Yes, and then restart the SSH service:

sudo service ssh restart

At this point, our SSH has been able to use Google authenticator to verify that is not very good. Finally, in order to ensure the security of the server, we recommend that you open SSH key + MFA dual authentication mode, discard the SSH password Authentication mode of use.

To edit the/etc/ssh/sshd_config configuration file:

Passwordauthentication No

Usepam Yes #下面增加

Authenticationmethods publickey,keyboard-interactive

Important: In the configuration process, you must test the use of Google authenticator can be logged in SSH and then deactivate the SSH password or key authentication mode, or cause can not connect over the.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.