Secure SSH with Google Authenticator

posted in: General | 0

Securing SSH with Google Authenticator (TOTP) is easy to do and adds security to your server quickly.

Ill outline how to do it below:

Install Google Authenticator
To begin we need to install the Google Authenticator PAM module, to install it on ubuntu use the code below:

sudo apt-get install libpam-google-authenticator
(This will only install the PAM module we will need to activate it manually later on)

Create an Authentication Key
Login as the user you want to be securing and run:

google-authenticator

It will then ask you some questions on how you would like it to behave.
Once done it will present you with a secret key and some “emergency scratch codes“, write these codes down as they are one use codes which are just incase you loose your phone.
Enter the security key in the Google Authenticator app on either your Android, Apple or Blackberry device.
You need to do this for every user you intend on using with SSH.

Activate Google Authenticator
First off run the following:

sudo nano /etc/pam.d/sshd

Then add the following line to the end of the file:

auth required pam_google_authenticator.so

Next open:

sudo nano /etc/ssh/sshd_config

and then find the ChallengeResponseAuthentication line and change as follows:

ChallengeResponseAuthentication yes

Finally restart the SSH server:

sudo service ssh restart

That’s it… easy eh?

Leave a Reply