Introduction #
Actually, Just past of the day, via my school, I knew there is a way to setup 2FA, then i started to learn how to set up. And now, i world like to share with you guys.
Prerequisites #
Before you begin, make sure you have the following:
- A GNU/Linux server: This guide will use Ubuntu as an example, but the steps should apply to most distributions.
- A 2FA app: Popular options include Google Authenticator, Authenticator, or Authy.
- Basic knowledge of Linux commands is assumed.
- Do not use the root account for this setup. Using the root account might cause login issues after enabling 2FA.
Step 1: Install the 2FA Package #
To begin, you need to install the libpam-google-authenticator package on your server, which will enable 2FA functionality.
Run the following command to install it:
sudo apt update
sudo apt install libpam-google-authenticator
Step 2: Configure the 2FA Package #
Next, configure the Google Authenticator package by running:
google-authenticator
The system will prompt you with a few questions. You can generally respond with ‘yes’ to each one.
Once completed, you’ll see a QR code and a secret key.
Step 3: Scan the QR Code or Enter the Secret Key #
Now, open your 2FA app (Google Authenticator, Authy, etc.), and either:
- Scan the QR code displayed on the terminal, or
- Manually enter the secret key if you can’t scan it.
Your app will start generating time-based 6-digit codes.
Tip: If you’re using a different 2FA app, the process will be the same. Just make sure to enter the secret key manually if scanning the QR code isn’t an option.
Step 4: Configure SSH for 2FA #
Next, you need to configure SSH to use 2FA. Edit the SSH daemon’s configuration file:
sudo vim /etc/ssh/sshd_config
Make sure these two lines are present (or add them if they aren’t):
KbdInteractiveAuthentication yes
ChallengeResponseAuthentication yes
These settings will enable keyboard-interactive authentication (which includes 2FA).
After saving the changes, close the file.
Step 5: Restart SSH Service #
To apply the changes, restart the SSH service:
sudo systemctl restart ssh
Step 6: Configure PAM for 2FA #
PAM (Pluggable Authentication Modules) must also be configured to use Google Authenticator. Edit the PAM configuration for SSH:
sudo vim /etc/pam.d/sshd
Add the following line to the file:
auth required pam_google_authenticator.so
Where you place this line in the file matters:
- Above the line containing
@include common-auth: This will ask for your password first, followed by the 2FA code. - Below
@include common-auth: This will ask for the 2FA code first, followed by the password.
Choose the sequence you prefer, save the file, and exit.
Step 7: Restart SSH Again #
To ensure all changes take effect, restart the SSH service one more time:
sudo systemctl restart ssh
Step 8: Test 2FA #
It’s time to test the 2FA setup. Try SSHing into your server:
ssh your-username@your-server-ip -v
You should first be prompted for your password, and then for the 2FA verification code generated by your app. Example:
$ ssh user@your-server
Password:
Verification code:
If both the password and 2FA code are correct, you will be logged in.
And that’s it! You’ve successfully set up 2FA on your GNU/Linux server.