How to Set up SSH Two Factor Authentication on Ubuntu 16.04 with Google Authenticator

This tutorial will show you how to set up SSH two factor authentication on Ubuntu 16.04 server using the well-known Google Authenticator. Once you set it up, the security of your SSH server will be hugely increased.

How Google Authenticator Works

Two factor authentication, also known as two-step verification, requires you to enter two pieces of information in order to login. Google Authenticator generates a one-time password using a shared secret key and the current time.

Not only do you need to provide the correct username and password, but also have to enter a one-time password generated by Google Authenticator to log in to your SSH server.

Please note that enabling SSH two factor authentication with Google Authenticator will also enable password authentication. If you use public key authentication only, then you may not want to do this. If you have some system that must allow password authentication, then this is a good way to make your system more secure.

Without further ado, let’s see how to set up SSH two factor authentication on Ubuntu 16.04 server.

Step 1: Install and Configure Google Authenticator on Ubuntu 16.04 Server

Log into your Ubuntu server and run the following command to install Google Authenticator from the default Ubuntu package repository.

sudo apt install libpam-google-authenticator

Then run the google-authenticator command to create a new secret key in your home directory.

google-authenticator

When asked “Do you want authentication tokens to be time-based?” Answer y. Then You will  be shown a QR code that you can scan using the Google Authenticator mobile app.

ssh two factor authentication

Install Google Authenticator app via Google play or Apple app store on your mobile phone and scan the QR code. The QR code represents the secret key, which is only known by your SSH server and your Google Authenticator app. Once the QR code is scanned, you can see a six-digit one-time password on your phone. By default it lasts for 30 seconds.

google authenticator ssh ubuntu

You can see the secret key, verification code and emergency scratch code in the terminal window. It’s recommended to save these information to a safe place for later use.

Then you can enter y to answer all of the remaining questions. This will update you Google Authenticator configuration file, disable multiple uses of the same authentication token, increase the time window and enable rate-limiting to protect against brute-force login attempts.

ubuntu 16.04 google authenticator

Step 2: Configure SSH Daemon to Use Google Authenticator

Open SSH server configuration file.

sudo nano /etc/ssh/sshd_config

PAM stands for pluggable authentication module. It provides an easy way to plug different authentication method into your Linux system. To enable Google Authenticator with SSH, PAM and Challenge-Response authentication must be enabled. So find the following two lines in the file, and make sure both of them is set to yes.

UsePAM yes

ChallengeResponseAuthentication yes

Save and close the file. Then restart SSH daemon.

sudo systemctl restart ssh

Next, edit the PAM rule file for SSH daemon.

sudo nano /etc/pam.d/sshd

Add the following entry at the end of the file.

auth required pam_google_authenticator.so

Save and close the file. From now on SSH daemon will use Google Authenticator.

Step 3: Test Your SSH Two Factor Authentication

Now open a separate terminal window and try logging into your SSH server. Do not close your current SSH session. If something goes wrong, you can fix it in your current SSH session. If everything is set up correctly, you will be asked to enter both your user password and the one time password.

Also note that each user on your Ubuntu 16.04 server needs to run google-authenticator command and scan QR code in order to use two-factor authentication.

Emergency Scratch Code

Emergency Scratch Code is your backup code. If you lose your phone, you can enter one of five emergency scratch code instead of a one-time password to complete the two-step verification. Note that these codes are for one-time use only.

Using a Second Phone

If you have a second phone, you can install Google Authenticator app on your second phone and manually enter the secret key. This is the same as scanning QR code.

If you want to change the secret key, simply log into your server and run google-authenticator command again to update the ~/.google_authenticator file.

Time Synchronization

Since the one time password is computed using the shared secret key and the current time, so it’s a good idea to enable NTP time synchronization on your Ubuntu 16.04 server.

I hope this tutorial helped you set up SSH two factor authentication on Ubuntu 16.04 server. As always, if you found this post useful, then subscribe to our free newsletter.

Rate this tutorial
[Total: 8 Average: 4]