DZone
Performance Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Performance Zone > 11 Steps to Secure Your Servers Part 8: Two-Factor Authentication

11 Steps to Secure Your Servers Part 8: Two-Factor Authentication

Part 8 in this series on server security from Inversoft's 2016 Guide to User Data Security covers setting up two-factor authentication.

Kelly Strain user avatar by
Kelly Strain
·
Jun. 30, 16 · Performance Zone · Tutorial
Like (4)
Save
Tweet
5.25K Views

Join the DZone community and get the full member experience.

Join For Free

This is part 8 of a series of posts on server security from Inversoft's 2016 Guide to User Data Security.

Since we are going for über security, let's get crazy and add one more layer of authentication to your remote access. Add two-factor authentication to the server; this will require users to type in a 6-digit code from their mobile phone in order to log in. Even if a user's private key is compromised, two-factor authentication ensures a hacker would still need the user's mobile phone to log into the server.

First, you will need to install a two-factor app on your smartphone. There are many two-factor applications available for iOS and Android. Next, install the Google Authenticator two-factor PAM module on the server by executing this command in the root user terminal:

$ apt-get install libpam-google-authenticator

Edit the PAM configuration file for SSH like this:

$ nano /etc/pam.d/sshd

Add this line to the top of the file:

auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok

Save this file and then open the SSH configuration file like this:

$ nano /etc/ssh/sshd_config

Find and modify or add the configuration parameters below:

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

Before enabling this module for a user, install the network time system so that the server's clock is updated and consistent with the atomic clock. Since the two-factor authentication system uses a time-based algorithm, this will ensure that the server clock remains in sync with your smartphone. To install this package, type this command:

$ apt-get install ntp

Now restart the SSH service to pick up these changes like this:

$ service ssh restart

Finally, log into the ordinary user account and execute this command to enable two-factor authentication:

$ google-authenticator -l 'your-username@Application Server'

This will display a QRCode that you can scan from the two-factor authentication app on your smartphone. It will also ask you additional questions to determine how you want to handle time-skew and brute force login attempts. Additionally, there will be 5 emergency scratch codes generated for your account. You should write these down in a secure location such as iCloud Secure Notes.

Before logging out of this terminal, open a new terminal window and verify that you can still log in to the ordinary user account with your SSH key and the two-factor code from your smartphone. If you ever have problems logging in, you can use one of the scratch codes that you saved off above. This will grant you access to your account and allow you to fix the two-factor authentication issue.

If you install the two-factor authentication as described above and a user doesn't enable it for their account, everything will still work fine. They will be able to log in using just their SSH key.

Find our Github project here: https://github.com/inversoft/2016-security-scripts. This project contains a set of scripts you can execute from your local computer to secure a remote server. 

authentication security

Published at DZone with permission of Kelly Strain. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Application Scalability — How To Do Efficient Scaling
  • The Right Way to Hybridize Your Product Development Technique
  • What SREs Can Learn From the Atlassian Nightmare Outage of 2022
  • 10 Steps to Become an Outstanding Java Developer

Comments

Performance Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo