How to enable SSH 2FA on Ubuntu Server 22.04

When you open your Linux servers up for SSH login, there’s always a chance someone could break into that server and do bad things. You don’t want that, but how do you prevent such a reality? One way is to enable two-factor authentication on the server. Once enabled, only those with the properly generated 2FA codes (along with their regular credentials) will be given access.

How do you set up SSH 2FA on your Ubuntu Server? Let me show you.

SEE: 40+ open source and Linux terms you need to know (TechRepublic Premium)

What you’ll need

The only things you’ll need to make this work are:

• A running instance of Ubuntu Server 22.04.
• A user with sudo privileges.

That’s it — let’s make some 2FA magic.

How to install the necessary software

The first thing to do is install a single package: Google Authenticator. This is a command-line tool that makes it possible to add 2FA authentication on your server.

Log into your Ubuntu instance and issue the command:

sudo apt-get install libpam-google-authenticator -y

You’ll then need to run the command to create a secret key. That command is:

google-authenticator

You’ll be asked if you want authentication tokens to be time-based, which you want. Type y and hit Enter on your keyboard. You will then be presented with a QR code that can be scanned by your 2FA application.

There’s one gotcha with this: If you’re logged directly into the terminal of the physical machine in question, you might not be able to see the entire code. Your best bet is to log in via SSH, so you can resize the terminal to view the entire QR code (Figure A).

Figure A

Scan the QR code with your 2FA app (such as Authy) or type the secret key if the code is too large for the app to scan and hit enter. You will then be prompted to type the code from the app so the account can be confirmed. Once confirmed, you will see the emergency codes for 2FA. Make sure to copy and save them in a safe place such as a password manager and then type y when prompted to update the ~/.google_authenticator file. Next, you’ll be prompted to disallow multiple uses of the same authentication token. Go ahead and type y to accept this, as it can help prevent man-in-the-middle attacks. When prompted, type y for the last question to allow up to a 30-second time-skew between the authentication server and client.

You will also want to enable rate-limiting when prompted by typing y, which limits attackers to no more than three login attempts every 30 seconds.

How to configure the SSH daemon for 2FA

Now that 2FA is installed and configured, we also have to configure the SSH daemon to make use of it. Open the SSH daemon configuration file with:

sudo nano /etc/ssh/sshd_config

First, locate the following line and make sure it is set to yes:

UsePAM yes

Next, locate the following line and change no to yes:

KbdInteractiveAuthentication no

Save and close the file.

Note: In Ubuntu releases prior to 22.04, the above line will be:

ChallengeResponseAuthentication yes

Next, open the PAM configuration file with:

sudo nano /etc/pam.d/sshd

Under the line @include common-auth, add the following line:

auth   required   pam_google_authenticator.so

Save and close the file.

Restart the SSH daemon with:

sudo systemctl restart sshd

Next, open a new terminal window and attempt to log into the remote machine. You will first be prompted for your user password and then prompted for the 2FA code. Upon successfully typing the 2FA code, you should be allowed access to the server.

How to enable 2FA with SSH Key Authentication

If you use SSH Key Authentication (and you should), there’s an extra step you must take. On the server, open the SSH daemon config file with:

sudo nano /etc/ssh/sshd_config

At the bottom of that file, add the following line:

AuthenticationMethods publickey,keyboard-interactive

Save and close the file.

Restart SSH with:

sudo systemctl restart sshd

Once you’ve verified SSH Key Authentication works, you can disable password authentication by opening the SSH configuration with:

sudo nano /etc/ssh/sshd_config

Locate the following line:

PasswordAuthentication yes

Change that to:

PasswordAuthentication no

Restart SSH with:

sudo systemctl restart sshd

Congratulations, you’ve just configured Ubuntu Server 22.04 for a much more secure SSH login process. Just make sure as you do this that you’re testing via a second terminal window, so you can remain logged into the original should anything go wrong (and you can reset the configurations). Enjoy that extra layer of security.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.