How to Setup Two-Factor Authentication (2FA) for SSH on Debian 9 Using Google Authenticator
There are several ways of logging into a server over SSH. Methods include password login, key-based login and two-factor authentication.
Two-factor authentication is a much better type of protection. In the event that your computer gets compromised, the attacker would still need an access code to login.
In this tutorial, you will learn how to set up two-factor authentication on Debian 9 using Google Authenticator and SSH.
- A Debian 9 server (or newer).
- A non-root user with sudo access.
- A smart phone (Android or iOS) with the Google Authenticator App installed. You can also use Authy or any other app supporting Time-based One-Time Password (TOTP) logins.
Step 1: Installing the Google Authenticator Library
We need to install the Google Authenticator Library module available for Debian, which will allow the server to read and validate codes.
sudo apt update sudo apt install libpam-google-authenticator -y
Step 2: Configure Google Authenticator for each user
Configure the module.
Once you run the command, you will be asked certain questions. The first question will be
Do you want authentication tokens to be time-based (y/n)
Press Y and you will get a QR code, secret key, verification code, and emergency backup codes.
Take out your phone and open the Google Authenticator app. You can either scan the QR code or add the secret key to add a new entry. Once you have done that, note the backup codes and keep them safe somewhere. In case your phone gets misplaced or damaged, you can use those codes to login.
For the remaining questions, press Y when asked to update the
.google_authenticator file, Y for disallowing multiple uses of the same token, N for increasing the time-window and Y to enable rate-limiting.
You will have to repeat this step for all of the users on your machine, otherwise they won't be able to login once you are through with this tutorial.
Step 3: Configure SSH to use Google Authenticator
Now that all users on your machine have set up their Google authenticator app, its time to configure the SSH to use this authentication method over the current one.
Enter the following command to edit the
sudo nano /etc/pam.d/sshd
Find the line
@include common-auth and comment it out, like what is shown below.
# Standard Un*x authentication. #@include common-auth
Add the following line to the bottom of this file.
auth required pam_google_authenticator.so
Press CTRL + X to save and exit.
Next, enter the following command to edit the
sudo nano /etc/ssh/sshd_config
Find the term
ChallengeResponseAuthentication and set its value to
yes. Also find the term
PasswordAuthentication, uncomment it, and change its value to
# Change to no to disable tunnelled clear text passwords PasswordAuthentication no
The next step is to add the following line to the bottom of the file.
Save and close the file by pressing CTRL + X. Now that we have configured the SSH server to use the Google Authenticator, its time to restart it.
sudo service ssh restart
Try logging back into the server. This time you will be asked for your Authenticator code.
ssh user@serverip Authenticated with partial success. Verification code:
Enter the code that your app generates and you will be logged in successfully.
In case you lose your phone, use the backup codes from Step 2. If you lost your backup codes, you can always find them in the
.google_authenticator file under the user home directory after you login via the Vultr console.
Having two-factor authentication greatly improves your server's security and allows you to help thwart common brute force attacks.