Enable 2FA for Ubuntu
Note: Do not logout from system before testing completed
- Installing the Google Authenticator PAM module
sudo apt install libpam-google-authenticator
- Configuring SSH
Add the following line at end of /etc/pam.d/sshd file
auth required pam_google_authenticator.so
- Enable Challenge Response Authentication
- Disable password authentication
- Restart the sshd daemon
sudo systemctl restart sshd.service
Configuring authentication for user
In a terminal, run following command:
Anwser using recommended configuration:
Make tokens “time-base””: yes Update the .google_authenticator file: yes Disallow multiple uses: yes Increase the original generation time limit: no Enable rate-limiting: yes
Use Authy scan QR code and save it.
- Disable user authorized_keys using root account
cd ~user mv .ssh/authorized_keys .ssh/authorized_
- Connect as the user using SSH
Note: Use Authy generate Verification code.
ssh host.example.com Password: Verification code: Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)
- Enable authorized_keys
mv .ssh/authorized_ .ssh/authorized_keys
- Connect as the user again using SSH
$ ssh host.example.com Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)
$ sudo -i [sudo] password for user: #
Disable SSH PasswordAuthentication is not effected, password is still required.
Enable public key authentication using authorized_keys will disable 2FA key, this is good for service account
Do not configure sudo,
/etc/pam.d/sudois not modified, especially when using it for none password execution, such as running in services.
Console access will not using 2FA, because this confiugration is for SSH.
Configure SSH to use two-factor authentication
How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04
Note: This was not successful, the document is wrong at following point. I think the second publickey should not be there
AuthenticationMethods publickey,password publickey,keyboard-interactive