You can never be too careful when it comes to online security, especially if you’re dealing with highly sensitive data. Adding an extra layer of security to your linux server it can only be a good thing.

This guide works for Ubuntu 14.04, 14.10 and 15.04.

Google Authenticator is a security application which implements time-based security tokens and it’s also known as ‘two factor authentication’. Every time you’ll login through ssh, it will ask you for your username, password and security code which is generated every 30 seconds by the Google authenticator application. This means that even if an attacker knows your username and password, he will still won’t be able to login.

The Google Authentication application is mainly available for smartphones (Android/iOS) but if you don’t have one, you can still use it through:

Authy – Chrome extension
WinAuth – Windows application

Assuming you already have ssh server installed, let’s get started. If not, you can install it with

sudo apt-get install openssh-server

Install Google Authenticator package

Open-up a terminal window (or login through ssh) and run the following command:

sudo apt-get update && sudo apt-get install libpam-google-authenticator

Configure SSH server to request security token

Edit the PAM ssh config file:

sudo nano /etc/pam.d/sshd

Add the following line right under @include common-auth:
auth required pam_google_authenticator.so

Edit the sshd config file:

sudo nano /etc/ssh/sshd_config

Search and edit these lines accordingly (make sure to remove the # in front of the lines if any):

ChallengeResponseAuthentication yes
PasswordAuthentication yes
UsePAM yes

Restart the ssh server:

sudo service ssh restart

Generate QR Code

To have Google Authenticator request the security token upon login, open a terminal from that user and run:

google-authenticator

For every question you are being asked, press Y. Also you will have a QR generated, you can use your smartphone to scan that QR code, or manually enter the secret key.

ssh-google-authenticator-ubuntu-15-04-1

Now, every time you login, you will have to enter the secret code generated by your Google Authenticator application from your smartphone.

ssh-google-authenticator-ubuntu-15-04-2

Secure a SSH Login with Google Authenticator on Ubuntu 15.04
Tagged on: