How to secure SSH login on Linux

Even though two factor authentications can refer to a multitude of techniques such as biometrics or smart cards, the most frequent method used in web applications is the one-time password. Google Authenticator app is one of the most popular algorithms used for such purposes and it can be applied to Linux, too. Lets see how to secure SSH logins with the help of Google Authenticator.

Step 1 Install dependencies

First of all, make sure you have root or sudo privileges on the device you are planning to secure your SSH via 2FA using Google Authenticator.
Update Ubuntus repository cache via

1
sudo apt-get update

Afterwards, run the following command to install the needed dependency package for Ubuntu via

1
sudo apt-get install libpam-google-authenticator

This will install the PAM module on your device, along with libqrencode3, which enables you to use the camera on your device in order to scan the qr-code.

PAM allows you to generate TOTP keys for every user who will have access to 2FA. Every key will be created on a user-by-user basis, and not a system-wide basis. Therefore, each user will have to long in and run the app in order to receive a key.

The initialization app can be started via google-authenticator command, which will receive as a response

1
Do you want authentication tokens to be time-based (y/n)

After answering yes to this query, a couple of other security questions will appear such as Do you want me to update your "~/.google_authenticator" file (y/n).

For the best security practices for SSH logins, it is best to answer yes to the following query

1
2
3
Do you want to disallow multiple uses of the same authentication token?
This restricts you to one login about every 30s, but it increases your chances
to notice or even prevent man-in-the-middle attacks (y/n)

This step is essential for creating the best Linux 2FA SSH login, as it will let the user only 30 seconds for typing the login code, and, as a consequence, will make it impossible for a hacker to achieve the authentication code.

Another great security measure that will make even more secure the SSH login is the 

1
2
3
4
If the computer that you are logging into isnt hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n)

This means that in the event of a malicious intent approach on your device, the hacker will have a limited login attempt, after which its access will be blocked.

Step 2 Setting up Open SSH

Open a SSH session and test the settings. In the PAM file sudo vi /etc/pam.d/sshd, enter the line auth required pam_google_authenticator.so.

Save the changes, close the file, and move forward to configuring SSH and enabling the authentication method with the command sudo vi /etc/ssh/sshd_config.

Switch the value for ChallengeResponseAuthentication line to yes, and restart the SSH server for the changes to take effect.

Step 3 Configure the Google Authenticator App

On your mobile device, install the Google Authenticator app, and set your account. Go to the Enter provided key menu, and enter the secret key, select the Time based featureand tapAdd`. From this point on, it will create a one-time verification code that will change each 30 seconds.

Step 4 test everything

After completing all the steps above, it is best to attempt login SSH via your computer. In this way you will make sure there are no errors in your authentication process.