How to Protect SSH With Multi-Factor Authentication on Ubuntu 16.04
Learn how to protect your SSH with MFA.
Join the DZone community and get the full member experience.Join For Free
Multi-factor Authentication (MFA) is a process of confirming the identity of a user in a system by validating two or more pieces of login information. While MFA is commonly used in GUI-based systems, it works pretty well on Linux servers.
MFA can strengthen the security of your Linux server by compensating weaknesses associated with a single form of authentication, e.g. passwords that can be broken by brute-force or other methods.
MFA relies on the fact that there is no perfect authentication method and 3 basic elements are therefore used:
- Something the user knows, for instance, a Personal Identification Number (PIN) or a password.
- Something the user has, such as a mobile device capable of receiving one-time verification codes.
- Something that defines the user, such as using biometric identification including fingerprints, facial and voice recognition.
Any server holding classified information (e.g. financial data) should implement MFA for compliance purposes and to minimize threats from hackers.
In this article, we will show you how to enable Multi-factor Authentication on your Ubuntu 16.04 server running on Alibaba Cloud Elastic Compute Service (ECS).
We will use Google Authenticator (Pluggable Authentication Module) PAM module to accomplish the task.
- A valid Alibaba Cloud Account. If you are a new Alibaba Cloud user, you can signup and get a free trial of over 40 cloud products worth up to $1200!
- An Alibaba Cloud ECS instance running Ubuntu 16.04 Operating System.
- A non-root user that can perform sudo tasks.
Step 1: Connecting to Your Alibaba ECS Instance
Locate the Public IP address associated with your Alibaba ECS instance and login to your server via an SSH client.
Step 2: Installing Google Authenticator PAM Module
Google Authenticator PAM module is a software that offers authentication verification using One Time Password (OTP). The module works hand in hand with a mobile-based OTP generator available for iOS, Android and Blackberry phones.
So, before you install the module on your Linux server, download the app from App store, PlayStore, or BlackBerry World, depending on the Operating System of your mobile phone.
Next, we need to install the PAM module on the server. It is available on the Ubuntu software repository, and we can install it using apt command. Before we do this, let's update the package information index:
$ sudo apt-get update
Then, run the command below to install the software:
$ sudo apt-get install libpam-google-authenticator
Press Y and hit Enter when prompted to continue.
Step 3: Creating Secret Keys for Users
We can now go ahead and create secret keys for users using a helper app that comes with the PAM module.
Please note, this is not a system-wide key. You must generate a new key for each user that requires multi-factor authentication.
While logged as the user that you want to enable MFA for, run the command below:
The helper app will ask you if you want authentication tokens to be time-based. Press Y and hit Enter.
Do you want authentication tokens to be time-based (y/n) y
Next, a new secret key and a QR code will be generated as shown below. You can either enter this key manually on your phone or scan the QR code with your Google Authenticator app that you downloaded earlier.
Five emergency scratch codes are provided. Keep them in a secure place, because you can use them to gain access to your system should you lose your Google App. The scratch codes can only be used once.
Then, press Y and hit Enter to answer the question below:
Do you want me to update your "/home/<username>/.google_authenticator" file (y/n) y
The above will allow the module to save the key on the google_authenticator file associated with the current logged in user.
Next, answer Y on the below question to force automatic expiration of code once it is used. This will prevent a replay attack in case a previously used code gets to the wrong hands.
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
Next, answer n in order to allow only three valid codes for a 1:30 min window period:
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)n
To limit users to only three login attempts in a time span of 30 seconds, answer Y on the below question. This will prevent brute-force attacks:
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
The Google PAM module is now configured for the current user.
Step 4: Configuring SSH to Support MFA
Next, we are going to configure SSH to support MFA. First, we are going to edit the file /etc/pam.d/sshd using a nano editor. Run the command below:
$ sudo nano /etc/pam.d/sshd
Then, add the below line at the bottom of the file:
auth required pam_google_authenticator.so nullok
The value nullok allows users without the Google Verification App to log in. You should delete this value once you have completely setup MFA for all users on your Ubuntu 16.04 server to make it mandatory for them to use the verification code when logging in.
The line will look like this without the value:
$ auth required pam_google_authenticator.so
Press CTRL+X, Y, and Enter to save the file:
Next, we will configure the SSH daemon to accept Google PAM authentication:
$ sudo nano /etc/ssh/sshd_config
ChallengeResponseAuthentication and change its value from no to yes:
Restart the SSH daemon for the changes to take effect:
$ sudo systemctl restart sshd
Step 5: Testing Multi-Factor Authentication
You can now open another terminal window and try to SSH to your Ubuntu 16.04 server. Now, apart from the password prompt, you will be required to enter a verification code, which you must obtain from your Google Authenticator app (two forms of authentication).
Please note, if you have not created an SSH key for the user (you can refer to this guide under the section about creating authentication key pair for logging to your Ubuntu 16.04 server), you will not be prompted to enter a password or a verification code. This is because the SSH key overrides all other authentication methods.
To disable this default behavior, open the /etc/ssh/sshd_configfile again.
$ sudo nano /etc/ssh/sshd_config
At the bottom of the file, add the line below:
AuthenticationMethods publickey,password publickey,keyboard-interactive
This tells SSH that we need all three forms of authentication: a public key, password, and keyboard-interactive.
Restart SSH daemon again:
$ sudo systemctl restart sshd
Now, if you try to log in again, you will be authenticated using your public key, but you will still be prompted to enter your password and Verification Code from the Google Authenticator app.
That is, three forms of authentication:
Using username "johndoe". Authenticating with public key "johndoe" Further authentication required Using keyboard-interactive authentication. Password: <enter password> Using keyboard-interactive authentication. Verification code: <enter verification code>
If you don't want to supply a password during authentication, open the PAM configuration file /etc/pam.d/sshd again:
$ sudo nano /etc/pam.d/sshd
Comment the line
@include common-auth by adding a pound (
# ) symbol at the beginning:
Save and close the file by pressing CTRL+X, Y, and Enter.
If you SSH to your Ubuntu 16.04 server again, you will be authenticated using the public key and the verification code only (two-factor authentication).
That's all when it comes to setting up MFA on your Ubuntu 16.04 server.
In this guide, we have taken you through the steps of securing your Ubuntu 16.04 Alibaba ECS with multi-factor authentication. We have shown you how to set up the Google PAM module and helper program to create secret codes for each user that requires MFA.
Depending on the security level that you want on your server, you can enable all three forms of authentication (public key, password, and verification code) or just two forms (public key and verification code).
We believe this guide will help you to add another layer of security to your Ubuntu 16.04 ECS instance. New to Alibaba Cloud? Sign up and get a free trial of up to $1200 to test over 40 cloud products
Published at DZone with permission of Francis Ndungu, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.