Two-factor authentication part 2 - 2FA with SSH

On any linux based server, it is possible to protect SSH with two-factor authentication using the Google Authenticator PAM module. This is actually easy to install and configure.

Login to your SSH server and install the module.

On Debian (or for instance Raspbian):
sudo apt-get install libpam-google-authenticator
On Fedora:
dnf install google-authenticator

Create the verification key for the user. I prefer to not allow root access to a server, so this step should be run as the user that should be able to login:
google-authenticator
You can answer y to most questions. Finally, you will get a QR code that can be scanned by your phone TOTP app (any standard TOTP application will do). Make sure to store the emergency codes in a safe place, such as a Keepass database or on a paper.

Now you need to make a few changes, so that PAM (which is responsible for authentication on most linux systems) asks for the verification code in addition to your password when logging in through SSH.

Edit the PAM config file for sshd:
sudo nano /etc/pam.d/sshd
 Add the following row to the top of the file:
auth required pam_google_authenticator.so
Edit sshd config:
sudo nano /etc/ssh/sshd_config
Change the following option to yes if it is set to no:
ChallengeResponseAuthentication yes
This will allow the sshd daemon to ask for other things than only the password, such as asking for the additional verification code that we added to the PAM configuration.

You can check sshd_config after any change with the following command:
sudo sshd -t
This will show any error in the sshd configuration and prevent you from being unable to connect to the server. Still, keep an additional terminal open to the server while doing any sshd or authentication changes.

Finally restart the sshd service:
sudo systemctl restart sshd.service
or on older systems:
sudo service sshd restart

Finished! Now you will be asked for the verification code when logging in through SSH in addition to your password.

Kommentarer

Skicka en kommentar

Populära inlägg i den här bloggen

Steelseries Arctis 7 headset in Linux

Bild
UPDATE. This headset works without modifications in Linux after the changes were committed to pulseaudio in 2017.  The Steelseries Arctis series headsets are very comfortable. You can wear this headset all day long thanks to the comfortable head strap. Steelseries Arctis 7 There are three models, Arctis 3, 5 and 7. The last one is the most expensive and has wireless connection. Arctis 5 is basically the same without wireless (only USB connection). Arctis 3 has only analog inputs. I've got the Arctis 7 model and of course I'm using it with Linux. There were some issues setting it up. It works fine in Alsa, the device is recognized. You do have to adjust sound levels, at least the mic has too low sound level. Use alsamixer on command line to adjust all volume levels for the headset to 100% (the two outputs and one input). But Pulseaudio has some issues. Only the mono device (chat output) and microphone is visible. This is because the headset uses a non-supported co...
Läs mer

Hard disk Firmware update on the Linux command line

Sometimes you will find that your hard disk is slow, or there are some other issues with disk performance. If you are lucky, the disk is not broken. It could have some firmware bugs, and if you are even more lucky, the manufacturer could have issued a firmware update. I've updated several hard disk firmwares in the past. Usually you have to use a boot disk with DOS or something to update the firmware. Why updating firmware? One of my hard disks in the past needed a new firmware because it was dropping out from a RAID controller. It began working fine after the firmware update. The latest hard disk that needed firmware update was Seagate 15k.7 ST3450857SS SAS. I noticed that the disks sometimes slowed down during writes and even stalled. I use two 450GB disks in software RAID 1. By googling I found that there were other people having similar problems with the same disk and that there were actually a firmware update available from Seagate. Also Dell, HP and IBM seems to ha...
Läs mer

Using IBM ServeRAID M1015 card in Linux

Bild
The FusionMPT SAS2 based cards by LSI are cheap RAID cards that perform well in RAID 0 and 1 under Linux with SSDs and ZFS arrays. They are used in many 1U servers with one or two disks. They are also a popular SAS 6.0 / SATA III controllers for enthusiasts. You can get them cheap on ebay. Before SATA III was common on motherboards, this was THE card to get. It can still be useful if you need SAS disks or additional disks or have a need for disk enclosures. It is identical to the LSI MegaRAID SAS 9220-8i. The same hardware is also used in LSI 9240 and LSI 9211. It is possible to use the BIOS from another card (crossflashing) to change the features of the card. There are a few different BIOS files you can use. Specifications:  Official LSI information 8-lane, 5 GT/s PCI Express 2.0 Identical to LSI 9240-8i card 6 Gb/s per port Two x4 internal SFF-8087 connectors Controller LSISAS2008 Low cost SATA+SAS RAID solution RAID levels 0, 1, 5, 10, 50 and JBOD mode >...
Läs mer