The importance of systems security cannot be denied in the field of information security. Taking effective preventive measures helps you safeguard your systems from unauthorized access. There are many traditional ways to make your systems secure by using strong passwords, private keys, or by using token-based authentication but adding multiple layers of security makes your systems more secure and prevents unauthorized access.

In this article, we are going to show how you can add an additional layer of security to your systems by using Multi-Factor Authentication. In Multi-Factor Authentication users have to provide more than one verification in the form of tokens generated by a third-party application. Multi-Factor Authentication can be applied to any application that requires login information but in this tutorial, we will be covering the steps for SSH in Linux. There are many applications available to provide token-based authentication, like Google Authenticator and FreeOTP. We will be using Google Authenticator in this article.

Prerequisites:

The basic requirements to perform this task is to have a Linux system running RHEL/CentOS with sudo rights with internet access to install the required authenticator and remote ‘ssh’ access on the server.

Let’s log in to your system and update with the latest repositories.

Make sure that it has EPEL repo installed as well if not then you can install it by using the below command.

Install Google Authenticator:

To install Google Authenticator in your system, run the command below on your system.

To confirm the package installation type ‘y’ to continue.

Confirm the package installation

Configure Google-Authenticator:

Once you have installed the package, we need to configure its first by using the command below on your system.

Next, you need to confirm if authentication tokens to be time-based.

Google-authenticator

In the furthermore configuration settings, you will be asked about some more settings to disallow multiple uses of the same authentication token and to enable rate-limiting for the authentication module. Select your parameters as ‘yes’ for all to continue.

Select your parameters

Configure PAM SSH for OTP CODE:

After the installation and configuration of Google Authenticator, now we are going to configure it with the OpenSSH PAM to use OTP code using the PAM sshd configurations.

In Linux systems, PAM stands for Pluggable Authentication Module which is used for authentication.

Before making any changes in the original configuration file, first, make sure to take its backup and then open it using your editor to make the required changes.

Adding this line in the pam sshd configuration allows it to be used with Google Authenticator for OTP code generation.

If you want to disable password authentication then comment out the below line in the same pam sshd conf file.

Save and Close the configuration file after making the required changes.

Configure SSH for OTP Display:

In order to get the OTP (One time Pass) work, we need to make some configuration parameter changes in the OpenSSH configuration file as below.

Updating the ChallengeResponseAuthentication from ‘no’ to ‘yes’ will let the ssh to ask for the OTP response code.

After making the required changed, save and close the file and run the command to restart sshd service.

Configure SSH for OTP Display

Testing Multifactor SSH Authentication:

Once we are done with all required configurations update, let’s test it by creating a duplicate session where you will be asked for the password first and then the OTP verification as shown below.

Testing Multifactor SSH Authentication

You will get the verification code on your Google Authenticator Android Mobile App, upon successful verification you will gain access to your system.

StarWind HyperConverged Appliance is a turnkey hyper-converged hardware platform fitted into a small two-node footprint. You don’t need anything else to build a budget-friendly new IT infrastructure or upgrade an existing one. All your systems will be “babysitted” by StarWind 24/7/365, troubleshooting any concerns without your involvement. Everything’s operated through a neat web UI. We’ll also migrate your workloads at no extra cost.

Dramatically decrease your CapEx, OpEx, and IT management costs, while visibly increasing return on investment (ROI) with hyperconvergence for ROBO, SMB & Edge from StarWind.

Conclusion:

By the end of this article, you have learned about setting up the multi-factor authentication for ssh using the Google Authenticator. Now, every time a user needs to log in on their system, they need to enter the password first and then be required to provide the OTP verification key, which makes your system more secure. It makes it really difficult for hackers to gain the system’s access because of Multi-Factor Authentication.

Views All Time
6
Views Today
24
Back to blog
The following two tabs change content below.
Karim Buzdar
Karim Buzdar
Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications. As an IT engineer and technical author, he writes for various websites.