• Talk to an expert
  • All posts

    How to Implement Two-Factor Authentication (2FA) for SSH on Ubuntu and RHEL

    Two-Factor Authentication (2FA) is one of the biggest additions to the security shield for your Linux server. It does that by requiring a secondary method of authentication after entering the correct SSH password. On Ubuntu and RHEL (Red Hat Enterprise Linux), you can easily enable 2FA using Google Authenticator or libpam-google-authenticator.

    This guide will show you how to implement 2FA for SSH on both systems.

    download (3)

     

    Step 1: Install Google Authenticator

    Google Authenticator is a PAM (Pluggable Authentication Module) that generates Time-based One-Time Passwords (TOTP).

    Ubuntu 

    sudo apt update
     sudo apt install libpam-google-authenticator


    RHEL
     

    sudo yum update
     sudo yum install epel-release
     sudo yum install google-authenticator

     

    Step 2: Configure Google Authenticator

    1. Run the following command for the user you want to secure with 2FA:

    google-authenticator


    2. You will be prompted with a series of questions. Answer as follows: 

    Do you want authentication tokens to be time-based? y

    Do you want me to update your .google_authenticator file? y

    Do you want to disallow multiple uses of the same authentication token? y

    Do you want to increase the time window? n

    Do you want to enable rate-limiting? y

     

    3. A QR code and a secret key will be generated.

    • Scan the QR code using your Google Authenticator app or any TOTP-compliant app such as Authy or Microsoft Authenticator.
    • Save the backup codes generated for account recovery

     

    Step 3: Configure PAM to Use Google Authenticator

    You need to modify the PAM SSH configuration to use Google Authenticator.

    1. Open the PAM configuration file for SSH:

    sudo nano /etc/pam.d/sshd

    2. Add the following line to the top:

    auth required pam_google_authenticator.so

     

    Step 4: Configure SSH to Use 2FA

    You now need to modify the SSH configuration to enforce 2FA.

    1. Open the SSH configuration file:

    sudo nano /etc/ssh/sshd_config

    2. Find and modify the following settings:

    ChallengeResponseAuthentication yes
     PasswordAuthentication yes
     UsePAM yes

    3. Add or modify the AuthenticationMethods directive to ensure both password and 2FA are required:

    AuthenticationMethods publickey,password publickey,keyboard-interactive

     

    Step 5: Restart SSH Service

    To apply the changes, restart the SSH daemon:

    sudo systemctl restart sshd

     

    Step 6: Test 2FA Authentication

    1. Open a new terminal and SSH into your server:

    ssh your-username@your-server-ip

    2. You should be prompted to enter your password and then a verification code from Google Authenticator.

     

    Step 7: (Optional) Enforce 2FA Only for Specific Users

    To limit 2FA to specific users, modify /etc/pam.d/sshd and add the following line before pam_google_authenticator:

    auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2

    Replace user1 and user2 with the usernames that should use 2FA.

     

    Troubleshooting Tips

    • If SSH is locked out after configuring 2FA, use a console or recovery mode to regain access.
    • Check logs for troubleshooting:

    sudo tail -f /var/log/auth.log  # Ubuntu
     sudo tail -f /var/log/secure    # RHEL