{"id":474,"date":"2023-06-29T19:40:53","date_gmt":"2023-06-29T19:40:53","guid":{"rendered":"https:\/\/techtutelage.net\/?p=474"},"modified":"2025-05-18T05:05:17","modified_gmt":"2025-05-18T05:05:17","slug":"configure-mfa-multi-factor-authentication-on-ssh-with-google-authenticator","status":"publish","type":"post","link":"https:\/\/techtutelage.net\/?p=474","title":{"rendered":"Configure MFA (Multi-Factor Authentication) on SSH with Google Authenticator"},"content":{"rendered":"\n

Enabling MFA (Multi-Factor Authentication) is strongly recommended if you have enabled user password SSH authentication. MFA adds an extra layer of security by requiring an additional form of authentication beyond just the password. This helps mitigate the risk of unauthorized access in case the password is compromised or stolen. <\/p>\n\n\n\n

In this tutorial I will show you how to set up MFA using \u201clibpam-google-authenticator\u201d to require MFA for a specific user on an Ubuntu server. To begin, go ahead switch to root, or to another user with sudo privileges, and install \u201clibpam-google-authenticator\u201d<\/p>\n\n\n\n

sudo apt-get install libpam-google-authenticator<\/code><\/pre>\n\n\n\n
Once you have \u201clibpam-google-authenticator\u201d installed switch to the user you want to enable MFA for and run:<\/p>\n\n\n\n
sudo google-authenticator<\/code><\/pre>\n\n\n\n
Follow the onscreen instructions. The prompt “Do you want authentication tokens to be time-based (y\/n)”<\/strong><\/em> refers to whether you want the MFA tokens to be generated based on time intervals. Time-based tokens change every few seconds and are considered more secure so answer \u201cY\u201d<\/strong><\/em>. This will generate the secret key and display a QR code.<\/p>\n\n\n\n
Next go to your mobile device, login to your app store and download an app called \u201cGoogle Authenticator\u201d Click on the “+”<\/em><\/strong> and select \u201cEnter a setup key\u201d<\/em><\/strong> to enter the newly generated secret key manually, or select  \u201cScan a QR code\u201d<\/em><\/strong> to scan the generated QR code instead. <\/p>\n\n\n\n
This will add the authentication token to your Authenticator app, once you have the token added to your app, enter the 6 digit token in to the \u201cEnter code from app (-1 to skip):\u201d<\/em><\/strong> prompt in your terminal window,  and hit \u201cEnter\u201d<\/em><\/strong> If your code is successfully confirmed, you will be presented with \u201cemergency scratch codes\u201d<\/em><\/strong>. Put these someplace safe! These codes serve as an alternative method of authentication in case the primary MFA method (such as a mobile device or authenticator app) is unavailable or lost.<\/p>\n\n\n\n
Follow the onscreen instructions and answer the questions based on your preference, below are recommended settings, but you don\u2019t have to follow them.<\/p>\n\n\n\n
Do you want me to update your \"\/home\/new_user\/.google_authenticator\" file? (y\/n) y<\/code><\/pre>\n\n\n\n
Do you want to disallow multiple uses of the same authentication\ntoken? This restricts you to one login about every 30s, but it increases\nyour chances to notice or even prevent man-in-the-middle attacks (y\/n) y<\/code><\/pre>\n\n\n\n
By default, a new token is generated every 30 seconds by the mobile app.\nIn order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y\/n) y<\/code><\/pre>\n\n\n\n
If the computer that you are logging into isn't hardened against brute-force\nlogin attempts, you can enable rate-limiting for the authentication module.\nBy default, this limits attackers to no more than 3 login attempts every 30s.\nDo you want to enable rate-limiting? (y\/n) y<\/code><\/pre>\n\n\n\n
After the installation process has completed switch back to root, or another user with sudo privileges and open the PAM configuration file.<\/p>\n\n\n\n
sudo nano \/etc\/pam.d\/sshd<\/code><\/pre>\n\n\n\n
Add the following line at the top of the file to enforce MFA for the specific user:<\/p>\n\n\n\n
auth required pam_google_authenticator.so<\/code><\/pre>\n\n\n\n
Save the changes and exit the editor. Then open the SSH configuration file.<\/p>\n\n\n\n
sudo nano \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n
Locate the line that starts with ChallengeResponseAuthentication<\/em><\/strong> or KbdInteractiveAuthentication<\/em><\/strong> and set it to yes<\/em><\/strong>. If the line is commented out, uncomment it and change its value, if it does not exist add it to the file.<\/p>\n\n\n\n
ChallengeResponseAuthentication yes<\/code><\/pre>\n\n\n\n
or<\/p>\n\n\n\n
KbdInteractiveAuthentication yes<\/code><\/pre>\n\n\n\n
Save the changes and exit the editor. Restart the SSH service to apply the changes:<\/p>\n\n\n\n
sudo service ssh restart<\/code><\/pre>\n\n\n\n
At this point MFA Authentication for your user should be all set. Remember to test the setup before fully relying on it. Ensure you have backup codes and alternative means of accessing the server in case of any issues with MFA.<\/p>\n\n\n\n
To see this tutorial in action checkout the video version of it on YouTube!<\/p>\n","protected":false},"excerpt":{"rendered":"
Enabling MFA (Multi-Factor Authentication) is strongly recommended if you have enabled user password SSH authentication. MFA adds an extra layer of security by requiring an additional form of authentication beyond just the password. This helps mitigate the risk of unauthorized access in case the password is compromised or stolen. In this tutorial I will show […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,1],"tags":[],"class_list":["post-474","post","type-post","status-publish","format-standard","hentry","category-tutorials","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/techtutelage.net\/index.php?rest_route=\/wp\/v2\/posts\/474","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtutelage.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtutelage.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtutelage.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtutelage.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=474"}],"version-history":[{"count":4,"href":"https:\/\/techtutelage.net\/index.php?rest_route=\/wp\/v2\/posts\/474\/revisions"}],"predecessor-version":[{"id":478,"href":"https:\/\/techtutelage.net\/index.php?rest_route=\/wp\/v2\/posts\/474\/revisions\/478"}],"wp:attachment":[{"href":"https:\/\/techtutelage.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=474"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtutelage.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=474"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtutelage.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=474"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}