In case something goes wrong, you can use the first SSH session to fix errors. You should open another terminal window to test two-factor authentication. Please don’t end the current SSH session. sudo systemctl restart sshįrom now on SSH daemon will require you to enter user password and a verification code (the one-time password generated by Google Authenticator). Then restart SSH daemon for the change to take effect. # two-factor authentication via Google AuthenticatorĪuth required pam_google_authenticator.so To enable 2FA in SSH, add the following two lines. sudo nano /etc/pam.d/sshdĪt the beginning of this file, you can see the following line, which enables password authentication when ChallengeResponseAuthentication is set to yes. Next, edit the PAM rule file for SSH daemon. It can not be PermitRootLogin no or PermitRootLogin prohibit-password. If you want to allow the root user to use 2FA, then find the PermitRootLogin parameter and set its value to yes. To enable Google Authenticator with SSH, PAM and Challenge-Response authentication must be enabled. It provides an easy way to plug different authentication method into your Linux system. PAM stands for pluggable authentication module. sudo nano /etc/ssh/sshd_configįind the following two parameters in the file and make sure both of them are set to yes. ![]() If you don’t use SSH key, then follow the instructions below. Step 2: Configure SSH Daemon to Use Google Authenticator This will update your Google Authenticator configuration file, disable multiple uses of the same authentication token, increase the time window and enable rate-limiting to protect against brute-force login attempts. Then you can enter y to answer all of the remaining questions. It’s recommended that you save this information to a safe place for later use. Now in the terminal window, you can see the secret key, verification code, and emergency scratch code. Enter this one-time password in the terminal window to confirm it’s correct. Once the QR code is scanned, you can see a six-digit one-time password on your phone. The QR code represents the secret key, which is only known by your SSH server and your TOTP mobile app. Note that you need to enlarge the terminal window to scan the full QR code. Scan the QR code with Google Authenticator or FreeOTP on your mobile phone. If you don’t trust Google, you can use FreeOTP, an open-source TOTP mobile app developed by Red Hat. The Google Authenticator mobile app isn’t open-source.You can install it via Google Play or Apple app store on your mobile phone. Google Authenticator is the most well-known TOTP mobile app.Then you will see a QR code that you can scan using a TOTP app on your phone. When asked “Do you want authentication tokens to be time-based?” Answer y. Then run the google-authenticator command to create a new secret key in your home directory. ![]() sudo apt install -y libpam-google-authenticator Log into your Debian server and run the following command to install Google Authenticator from the default Debian package repository. Step 1: Install and Configure Google Authenticator on Debian Server The server software and the mobile app don’t need network access. Google the company does not involve in the authentication process in any shape or form. Note: The open-source server software we will use in this article is called libpam-google-authenticator, which is installed from the default Debian repository. ![]() This tutorial will show you how to set up These days many websites and services (Facebook, Google, Twitter, etc) offer 2FA for users to secure their accounts and it’s a good idea to also enable 2FA on your SSH server. This one-time password is computed using the TOTP algorithm, which is an IETF standard. So you will also need to enter a time-based one-time password to log in to your SSH server. Two-factor authentication (2FA) requires you to enter two pieces of information in order to login. Normally, you only need to enter a password or use SSH key to log in to your Debian server remotely. It will greatly improve the security of SSH service on your Debian server. This tutorial will show you how to set up SSH two-factor authentication on Debian server using the well-known Google Authenticator.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |