The importance of systems security cannot be denied in the field of information security. Taking effective preventive measures helps you safeguard your systems from unauthorized access. There are many traditional ways to make your systems secure by using strong passwords, private keys, or by using token-based authentication but adding multiple layers of security makes your systems more secure and prevents unauthorized access.
In this article, we are going to show how you can add an additional layer of security to your systems by using Multi-Factor Authentication. In Multi-Factor Authentication users have to provide more than one verification in the form of tokens generated by a third-party application. Multi-Factor Authentication can be applied to any application that requires login information but in this tutorial, we will be covering the steps for SSH in Linux. There are many applications available to provide token-based authentication, like Google Authenticator and FreeOTP. We will be using Google Authenticator in this article.
Prerequisites:
The basic requirements to perform this task is to have a Linux system running RHEL/CentOS with sudo rights with internet access to install the required authenticator and remote ‘ssh’ access on the server.
Let’s log in to your system and update with the latest repositories.
|
1 |
# yum update -y |
Make sure that it has EPEL repo installed as well if not then you can install it by using the below command.
|
1 |
# yum install <a href="https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm">https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm</a> |
Install Google Authenticator:
To install Google Authenticator in your system, run the command below on your system.
|
1 |
# yum install google-authenticator |
To confirm the package installation type ‘y’ to continue.
Configure Google-Authenticator:
Once you have installed the package, we need to configure its first by using the command below on your system.
|
1 |
# google-authenticator |
Next, you need to confirm if authentication tokens to be time-based.
In the furthermore configuration settings, you will be asked about some more settings to disallow multiple uses of the same authentication token and to enable rate-limiting for the authentication module. Select your parameters as ‘yes’ for all to continue.
Configure PAM SSH for OTP CODE:
After the installation and configuration of Google Authenticator, now we are going to configure it with the OpenSSH PAM to use OTP code using the PAM sshd configurations.
In Linux systems, PAM stands for Pluggable Authentication Module which is used for authentication.
Before making any changes in the original configuration file, first, make sure to take its backup and then open it using your editor to make the required changes.
|
1 2 3 4 5 |
# cp /etc/pam.d/sshd /etc/pam.d/sshd.org # vim /etc/pam.d/sshd auth required pam_google_authenticator.so nullok |
Adding this line in the pam sshd configuration allows it to be used with Google Authenticator for OTP code generation.
If you want to disable password authentication then comment out the below line in the same pam sshd conf file.
|
1 |
auth substack password-auth |
Save and Close the configuration file after making the required changes.
Configure SSH for OTP Display:
In order to get the OTP (One time Pass) work, we need to make some configuration parameter changes in the OpenSSH configuration file as below.
|
1 2 3 |
# vim /etc/ssh/sshd_config ChallengeResponseAuthentication yes |
Updating the ChallengeResponseAuthentication from ‘no’ to ‘yes’ will let the ssh to ask for the OTP response code.
After making the required changed, save and close the file and run the command to restart sshd service.
|
1 2 3 |
# systemctl restart sshd # systemctl status sshd |
Testing Multifactor SSH Authentication:
Once we are done with all required configurations update, let’s test it by creating a duplicate session where you will be asked for the password first and then the OTP verification as shown below.
You will get the verification code on your Google Authenticator Android Mobile App, upon successful verification you will gain access to your system.
Conclusion:
By the end of this article, you have learned about setting up the multi-factor authentication for ssh using the Google Authenticator. Now, every time a user needs to log in on their system, they need to enter the password first and then be required to provide the OTP verification key, which makes your system more secure. It makes it really difficult for hackers to gain the system’s access because of Multi-Factor Authentication.
