Configure MFA (Multi-Factor Authentication) on SSH with Google Authenticator

Enabling MFA (Multi-Factor Authentication) is strongly recommended if you have enabled user password SSH authentication. MFA adds an extra layer of security by requiring an additional form of authentication beyond just the password. This helps mitigate the risk of unauthorized access in case the password is compromised or stolen.

In this tutorial I will show you how to set up MFA using “libpam-google-authenticator” to require MFA for a specific user on an Ubuntu server. To begin, go ahead switch to root, or to another user with sudo privileges, and install “libpam-google-authenticator”

sudo apt-get install libpam-google-authenticator

Once you have “libpam-google-authenticator” installed switch to the user you want to enable MFA for and run:

sudo google-authenticator

Follow the onscreen instructions. The prompt “Do you want authentication tokens to be time-based (y/n)” refers to whether you want the MFA tokens to be generated based on time intervals. Time-based tokens change every few seconds and are considered more secure so answer “Y”. This will generate the secret key and display a QR code.

Next go to your mobile device, login to your app store and download an app called “Google Authenticator” Click on the “+” and select “Enter a setup key” to enter the newly generated secret key manually, or select  “Scan a QR code” to scan the generated QR code instead. 

This will add the authentication token to your Authenticator app, once you have the token added to your app, enter the 6 digit token in to the “Enter code from app (-1 to skip):” prompt in your terminal window, and hit “Enter” If your code is successfully confirmed, you will be presented with “emergency scratch codes”. Put these someplace safe! These codes serve as an alternative method of authentication in case the primary MFA method (such as a mobile device or authenticator app) is unavailable or lost.

Follow the onscreen instructions and answer the questions based on your preference, below are recommended settings, but you don’t have to follow them.

Do you want me to update your "/home/new_user/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

After the installation process has completed switch back to root, or another user with sudo privileges and open the PAM configuration file.

sudo nano /etc/pam.d/sshd

Add the following line at the top of the file to enforce MFA for the specific user:

auth required pam_google_authenticator.so

Save the changes and exit the editor. Then open the SSH configuration file.

sudo nano /etc/ssh/sshd_config

Locate the line that starts with ChallengeResponseAuthentication or KbdInteractiveAuthentication and set it to yes. If the line is commented out, uncomment it and change its value, if it does not exist add it to the file.

ChallengeResponseAuthentication yes

or

KbdInteractiveAuthentication yes

Save the changes and exit the editor. Restart the SSH service to apply the changes:

sudo service ssh restart

At this point MFA Authentication for your user should be all set. Remember to test the setup before fully relying on it. Ensure you have backup codes and alternative means of accessing the server in case of any issues with MFA.

To see this tutorial in action checkout the video version of it on YouTube!