How to Install and Enable SSH Multi-Factor Authentication for Linux Systems

Choose a different version or distribution

Introduction

Before we begin talking on how to install and enable SSH multifactor authentication for Linux systems, let's briefly understand -What is SSH?

SSH (Secure Shell) is a widely used protocol for securely accessing and managing remote Linux systems. By enabling multifactor authentication (MFA) for SSH, you add another layer of security to protect your systems from unauthorized access.

To gain remote access to Linux servers and systems, users often use the Secure Shell (SSH) protocol. The users are given a secure, encrypted connection that enables remote system management and administration.

While SSH can be accessed with just a username and password, doing so exposes your systems to brute-force attacks, password guessing, and other security risks.  Multi-Factor Authentication (MFA) is useful in this situation.

This tutorial will provide an overview of how to install and enable SSH MFA on Linux systems. We will also address a few FAQs on how to install and enable SSH multifactor authentication for Linux systems.

Advantages of SSH Multi-Factor Authentication

  1. Increased Security: By requiring multiple authentication factors, SSH MFA significantly increases the security of your remote Linux systems, protecting against unauthorized access even if passwords are compromised.
  2. Reduced Risk of Credential Theft: MFA makes it more difficult for attackers to gain unauthorized access to your systems by requiring an additional factor beyond just a username and password.
  3. Flexible Authentication Methods: SSH MFA supports various authentication methods, including passwords, SSH keys, hardware tokens, and software-based tokens. This flexibility allows you to choose the option that best suits your security requirements.
  4. Compatibility with Third-Party Authentication Tools: Many SSH MFA implementations, such as Google Authenticator and FreeOTP, integrate with popular authentication apps and services, providing seamless and secure multi-factor authentication options.
  5. Support for Compliance Requirements: Enabling SSH MFA can help fulfill compliance requirements for certain regulations or security standards, such as PCI DSS (Payment Card Industry Data Security Standard) or HIPAA (Health Insurance Portability and Accountability Act).

How to Prepare Your Linux System for MFA

Make sure your Linux system is up-to-date and has all essential packages installed before installing and configuring MFA on it. Use the following utility to update your system:

sudo apt update && sudo apt upgrade -y

You must install the PAM (Pluggable Authentication Modules) package to activate MFA for SSH after updating your system.

Installing and Setting Up a Supported MFA Method

For SSH access, a number of MFA options are available, including YubiKey, Duo Security, and Google Authenticator. This section is going to focus on setting up the Google Authenticator, a popular and simple MFA option for SSH.

The following instructions will show you how to install and set up Google Authenticator for SSH MFA:

Step 1: Create a New User

For SSH access, you must first establish a new user. The code below can be used to create a new user:

sudo adduser <username>

Use the proper name for the user you want to create in place of <username>.

Step 2: Switch to the New User

Afterward, switch to the new user by executing the next command:

su - <username>

Your system will ask you to enter the new user's password.

Step 3: Install Google Authenticator

This tool can be used to install Google Authenticator:

sudo apt install libpam-google-authenticator -y

An example of the output from the previous command is shown below:

This output demonstrates the installation of the "libpam-google-authenticator" package and its dependencies, "libqrencode4", using the "apt" package manager. The installation prompt is automatically accepted when using the -y option. The output also displays the status of the installation procedure, including the download, installation, and consumption of any additional packages or disk space. Last but not least, it demonstrates that the installation and any pertinent post-installation processing triggers were successful.

Step 4: Generate a New Secret Key

You can create a new secret key for the user with the use of this tool:

google-authenticator

Your system will ask you a few questions, including the ones listed below:

  • Do you want time-based authentication tokens (y/n)? y.
  • Do you want your "/home/yourusername/.google_authenticator" file to be updated (y/n)? y.
  • Do you want to prohibit using the same authentication token more than once? (y/n) y.
  • Would you like to activate rate-limiting? (y/n) y.

For the majority of the questions, you can accept the default answers. To update the configuration file, choose "y" when asked if you want me to update your "/home/username>/.google_authenticator" file.

In order to generate one-time passwords for MFA, the previous command line generates a new secret key for the user.

Step 5: Launch the Authenticator App on Your Phone

Scan the QR code that appears on the screen using the Google Authenticator app that is open. Your Google Authenticator app will now include the new user.

Step 6: Modify the Configuration File

Use the command line interface to modify the SSH configuration file:

sudo nano /etc/ssh/sshd_config

At the file's conclusion, include the following line:

ChallengeResponseAuthentication yes

The Challenge-Response authentication for SSH is enabled by this line.

Step 7: Modify the PAM Configuration File

Editing the SSH PAM configuration file with this command:

sudo nano /etc/pam.d/sshd

To finish this stage, include the following line at the conclusion of the document:

auth required pam_google_authenticator.so

The Google Authenticator module for SSH is enabled by this tool.

Step 8: Save Your Changes

Use the following command to restart the SSH service after saving the modifications to the configuration files:

sudo service ssh restart

With the modified configuration, the SSH service is restarted using this command.

You will be asked for a one-time password that is generated by the Google Authenticator app when you use SSH to log in to your Linux system. For the login process to be complete, enter the one-time password.

Testing Your MFA Setup for SSH Access

It's crucial to test the setup after installing and configuring the MFA for SSH on your Linux system to make sure everything is set up properly. The steps to test your MFA configuration for SSH access are as follows:

1) Open a new terminal window and use SSH to connect to your Linux machine as usual. For instance:

ssh <username>@<ip_address>

The <username> and the <ip_address> should be changed to the exact username you created previously and your Linux system's IP address or hostname, respectively. In this instance, Victoria is used as the username. The output appears as seen in the following figure:

In this example, we'll demonstrate how to log in as the user "victoria" to a distant computer with the IP address 192.168.1.100 using the ssh command. The command requests verification of the legitimacy of the remote host before requesting the "victoria" user's password. We are met with the shell prompt on the distant system after properly authenticating, proving that we successfully created an SSH session.

2) When prompted, enter the user's password.

3) After entering the password, your MFA app should ask you for a one-time password. The code associated with the user that you previously generated must be entered when the Google Authenticator app is opened on your smartphone.

4) You ought to be logged into your Linux system if the one-time password is accurate. You will be asked to input another code from the MFA app if the password is wrong.

5) After successfully logging in, you can inspect the SSH logs to ensure that MFA is operating as intended. Run the following program to see the logs:

sudo tail -f /var/log/auth.log

The SSH authentication logs are displayed in real-time by the previous command.

In the log, look for a line that begins, "Accepted publickey for <username>" then, “Accepted keyboard-interactive/pam for <username>”.

The first two lines demonstrate the successful authentication of user "victoria" using a public key and keyboard-interactive techniques from the IP address of 192.168.0.2.

If everything is in order, you can use SSH with MFA enabled to log into your Linux system.

FAQs on Installing and Enabling SSH Multi-Factor Authentication

Why is enabling MFA for SSH important?

 Enabling MFA for SSH enhances the security of your remote Linux systems. It adds another layer of protection, reducing the risk of unauthorized access even if passwords are compromised.

What are the common authentication factors used in SSH MFA? 

Common authentication factors for SSH MFA include passwords, SSH keys, hardware tokens, software-based tokens, and biometric data (such as fingerprints or facial recognition).

Which tools can be used for implementing SSH MFA on Linux systems? 

Several tools can be used to implement SSH MFA on Linux systems, including Google Authenticator, FreeOTP, and Duo Security.

What are the general steps to enable SSH MFA on Linux systems?

Enabling SSH MFA typically involves installing an MFA-related tool, configuring SSH to use MFA, configuring user accounts for MFA, and testing the authentication process.

Can I enable SSH MFA for all user accounts on a Linux system? 

Yes, you can enable SSH MFA for all user accounts on a Linux system. However, it's important to consider the impact on user experience and administrative requirements before enabling MFA for all users.

Do I need to set up SSH key pairs in addition to SSH MFA?

SSH key pairs can be used alongside SSH MFA, providing an additional layer of security. SSH keys are used for public key authentication, while MFA adds another factor, such as a code generated by an authentication app or a fingerprint scan.

What are the advantages of SSH MFA? 

Advantages of SSH MFA include enhanced security by requiring multiple authentication factors, reduced risk of unauthorized access even if passwords are compromised, and compatibility with various authentication methods and MFA tools.

Conclusion

By providing an additional layer of authentication, implementing Multi-Factor Authentication (MFA) for SSH access on your Linux server can greatly improve the security of your system. MFA makes it far more difficult for attackers to access your system by asking users to supply a one-time password in addition to their usual password.

If you have any queries or doubts, please leave them in the comment below. We'll be happy to address them.