This article walks you through the process of enforcing 2FA on Ubuntu using the Google Authenticator.
All of these steps are completed on the system that you want 2FA to be enforced on.
Important notes:
* SSH key-based logins bypass the 2FA component of the login verification process.
* Users without the google-authenticator configured will not be able to login (except with a key).
Install the required packages:
sudo apt update sudo apt upgrade sudo apt install libpam-google-authenticator
Add a new line to the “/etc/pam.d/sshd” file:
sudo echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
Edit the “/etc/ssh/sshd_config” file and replace this:
ChallengeResponseAuthentication no with this: ChallengeResponseAuthentication yes
Restart SSH:
sudo systemctl restart sshd.service
Complete the remainder as the user on the remote system that you want to login as.
Execute the following command:
/usr/bin/google-authenticator
This is where it gets very cool. My advice is to make your terminal window large. The above command will present a QR code in text form. It can be large.
Scan the QR code like you would with any such system, adding a new entry to your Google Authenticator app.
The following responses are sensible. The above command “google-authenticator” takes you through a wizard. I’ve answered as follows :
Do you want authentication tokens to be time-based (y/n) y Do you want me to update your "/root/.google_authenticator" file? (y/n) y your chances to notice or even prevent man-in-the-middle attacks (y/n) y Do you want to do so? (y/n) n Do you want to enable rate-limiting? (y/n) y
This article is largely based on the work at “https://ubuntu.com/tutorials/configure-ssh-2f”, “https://blog.kasraeian.com/2018/04/ssh-2fa-on-linux/” and “https://pimylifeup.com/setup-2fa-ssh/”.
Confirmed to work with other authenticator apps.