You can never be too careful when it comes to online security, especially if you’re dealing with highly sensitive data. Adding an extra layer of security to your linux server it can only be a good thing.
This guide works for Ubuntu 14.04, 14.10 and 15.04.
Google Authenticator is a security application which implements time-based security tokens and it’s also known as ‘two factor authentication’. Every time you’ll login through ssh, it will ask you for your username, password and security code which is generated every 30 seconds by the Google authenticator application. This means that even if an attacker knows your username and password, he will still won’t be able to login.
The Google Authentication application is mainly available for smartphones (Android/iOS) but if you don’t have one, you can still use it through:
Assuming you already have ssh server installed, let’s get started. If not, you can install it with
sudo apt-get install openssh-server
Install Google Authenticator package
Open-up a terminal window (or login through ssh) and run the following command:
sudo apt-get update && sudo apt-get install libpam-google-authenticator
Configure SSH server to request security token
Edit the PAM ssh config file:
sudo nano /etc/pam.d/sshd
Add the following line right under @include common-auth:
auth required pam_google_authenticator.so
Edit the sshd config file:
sudo nano /etc/ssh/sshd_config
Search and edit these lines accordingly (make sure to remove the # in front of the lines if any):
Restart the ssh server:
sudo service ssh restart
Generate QR Code
To have Google Authenticator request the security token upon login, open a terminal from that user and run:
For every question you are being asked, press Y. Also you will have a QR generated, you can use your smartphone to scan that QR code, or manually enter the secret key.
Now, every time you login, you will have to enter the secret code generated by your Google Authenticator application from your smartphone.