In this tutorial, we will learn how to configure multi-factor authentication (MFA) on the SSH access of a Linux server in order to strengthen authentication: in addition to the username and password, a one-time verification will need to be entered to authenticate to the server.
MFA is compatible with authentication by identifiers (user / password), but also with authentication by keys.
On the Linux server, we will have to install and configure Google PAM Authenticatorcorresponding to the package “libpam-google-authenticator” (project page). On the side of your smartphone, you can use the code generation application of your choice: FreeOTP, Microsoft Authenticator, Google Authenticator, etc… There is a choice!
This configuration applies to different distributions, including Debian, Ubuntu, Fedora, Rocky Linux, etc… For my part, I am using a Debian 11 machine for this demonstration.
II. Installation et configuration de Google PAM Authenticator
Connect to your Linux server, update the package cache and install the package mentioned in the introduction:
sudo apt-get update sudo apt-get install libpam-google-authenticator
Once the installation is done, we can attack the configuration of the module. This will require using your smartphone with your OTP application. Run this command:
Answer “y” to the first question for a QR code to be generated. This code must be scanned with your OTP application, from your smartphone.
Under the QR code, there is the question “Enter code from app“: enter the code displayed on your smartphone, and confirm, to check that it works correctly. Also write down the emergency codes in a safe place, in your favorite password manager, for example. These codes are for use only if you have any problem with the OTP app on your smartphone.
Then, you have to answer 4 questions to refine the configuration. For the configuration to be secure (protection against certain attacks), it is necessary to answer “y” therefore “yes” to all of these questions. For example, this will impose a limit for connection attempts: 3 attempts every 30 seconds.
Google PAM setup is complete! Let’s move on.
III. Enable MFA on SSH connection
Now we need to configure the Linux authentication module and SSH to rely on Google PAM to enable MFA. Start by modifying this file:
sudo nano /etc/pam.d/sshd
Add this line at the end of the file and save:
auth required pam_google_authenticator.so
If you want to allow login without MFA, for example for a user for whom MFA is not configured, add this option:
auth required pam_google_authenticator.so nullok
Then, it is the SSH server itself that must be configured. Open the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Look for the option “ChallengeResponseAuthentication” is set there to “yes” instead of “no”.
To use MFA with authentication by keys (the following is not useful for authentication by login and password)the configuration is a little different… Because, in addition to the option that we have just activated, we must add this option:
Of course, this is in addition to the lines to disable password authentication and to enable the public key-based method:
PubkeyAuthentication yes PasswordAuthentication no
Close the file and restart the SSH service to apply the changes:
sudo systemctl restart sshd
It’s time to test!
IV. SSH : tester la connexion MFA
From a remote machine, initiate an SSH connection to your server where MFA is active, and log in with the user for whom we have just activated MFA. And then, surprise, a new step called “Verification code” is displayed! That’s when you have to open the code generator app on your smartphone to get a code and grab it.
Following this connection, in the log “/var/log/auth.log“, you will see a line like this:
sshd(pam_google_authenticator): Accepted google_authenticator for flo
In the event that an incorrect code is entered, there will also be an entry in the logs to notify this attempt. This event is interesting and may indicate a sign of compromise, as it indicates that someone knows the username and password, but they’re stuck on second factor authentication.
Now it’s up to you to configure your servers!