Secure Your Server with 2FA
Being the tinfoil hatter that I am and after realizing (unsurprisingly) my home server was getting bombarded with SSH attempts I decided to implement Two Factor authentication just for some peace of mind. The server itself is already hardened a bit with a sane SSH config, fail2ban and iptables but you can never be too careful right?
The merits of 2FA are already well documented and this was so easy that I see
no reason not to do it, especially on production systems. I already use Google
Authenticator for my other 2FA needs and was pleasantly surprised to find out
they also have an awesome PAM module
Just a quick note, this guide is written under the assumption of an Ubuntu/Debian based system but the instructions should vary little for other OS’s. I will also assume we have a fresh SSH config so we can walk through that a bit too.
First things first we need to install the package and run through the setup:
Don’t forget to copy down the emergency keys!
Next up we have to edit or
pam.d file for SSH to require the new package. To
do this we want to modify
/etc/pam.d/sshd using your editor of choice and
add this to the top of the file:
It is important to note that you should definitely use
required here. You can
take a look at the PAM docs for the
different options but required holds the benefit of not only bouncing a user
out if they fail this method but it does not immediately reveal that was the
method that bounced them, adding a but more over
Next up we want to update our
Now assuming this is a fresh installation of SSH and you are just using
username and password authentication this will work without any problems. But
lets be honest, you shouldn’t be doing that when public keys are so easy to
setup. Once you generate your public key head beack to the
/etc/ssh/sshd_config and add/change these options:
Now you have your server setup with SSH public key authentication and snazy 2FA.
Your so excited to try it out so you disconnect and try SSHing in only to find
that you are never prompted for a token… thats not right. Unfortunately
public key auth does not play well with PAM, it pretty much just bypasses it
(public keys are secure right??). Well fret not, there is a solution. You will
have to update to at least
OpenSSH v6.2 for this but you should already be
there. Next add this to your
, here is important. This tells ssh to run these check sequentially
allowing us to use both publickey and 2FA authentication.
So now if we give this a go you should see a nice prompt for your token after your public key auth is done. Success!!