{"id":364944,"date":"2021-11-10T14:00:00","date_gmt":"2021-11-10T11:00:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-enable-two-factor-for-ssh-logins-cloudsavvy-it\/"},"modified":"2021-11-10T14:00:00","modified_gmt":"2021-11-10T11:00:00","slug":"how-to-enable-two-factor-for-ssh-logins-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-enable-two-factor-for-ssh-logins-cloudsavvy-it\/","title":{"rendered":"#How to Enable Two Factor for SSH Logins \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2918528233a\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2918528233a\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-enable-two-factor-for-ssh-logins-cloudsavvy-it\/#Is_This_Really_Necessary\" >Is This Really Necessary?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-enable-two-factor-for-ssh-logins-cloudsavvy-it\/#How_to_Enable_Two_Factor_for_SSH\" >How to Enable Two Factor for SSH<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-enable-two-factor-for-ssh-logins-cloudsavvy-it\/#Configure_SSH_to_Work_with_Google_PAM\" >Configure SSH to Work with Google PAM<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-enable-two-factor-for-ssh-logins-cloudsavvy-it\/#Add_Access_for_Service_Accounts\" >Add Access for Service Accounts<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Enable Two Factor for SSH Logins \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 700px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage  wp-image-5357 size-full\" srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/10\/c50db96f.png?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/10\/c50db96f.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/10\/c50db96f.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Man holding smartphone.\" width=\"700\" height=\"300\" data-crediturl=\"https:\/\/www.shutterstock.com\/image-photo\/close-man-using-mobile-smart-phone-136552994\" data-credittext=\"Shutterstock\/TATSIANAMA\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/close-man-using-mobile-smart-phone-136552994\">Shutterstock\/TATSIANAMA<\/a><\/span><\/figcaption><\/figure>\n<p>If you really want to lock down your cloud server, you can enable two-factor authentication for SSH in the same way you would add it to your Gmail account, preventing anyone from gaining access if they\u2019ve stolen your SSH private key.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Is_This_Really_Necessary\"><\/span>Is This Really Necessary?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Compared to having two factor on an email or web-based account, two factor on SSH isn\u2019t as useful. For something like email, the point of failure is usually password reset schemes, easily crackable passwords, or data breaches. Really, anything involving bad passwords or poor password management.<\/p>\n<p>For SSH, this isn\u2019t much of an issue. SSH uses very good encryption for the public and private keys it uses to make connections. If your SSH server is locked down\u00a0and doesn\u2019t allow password access, nobody is getting in unless they have the physical device that the key is located on, and it\u2019s not very likely that anyone will bruteforce your SSH key anytime this century. So, in a sense, it\u2019s almost as if you already have two factor, because your key will remain on your laptop.<\/p>\n<p>But, in some fringe cases, two factor can be a good choice. If some lunatic hacker decides to steal your laptop with the intent of nabbing your SSH keys along with it (and not just selling it on Craigslist when they can\u2019t crack your device password), having two factor would put you one step ahead.<\/p>\n<p>A more real-world issue though is with SSH agent forwarding; With agent forwarding turned on, the key requests to sign into additional servers get forwarded back to your device. This allows you to SSH into a public server, and\u2014from that public server\u2014SSH again into another private server on the same network, giving you access similarly to how a VPN would work.<\/p>\n<p>The problem, though, is that if the public server is compromised, if you have agent forwarding enabled, an attacker is able to act as you while you\u2019re connected to the public server. This is a potential privilege escalation, depending on how you\u2019ve set up your network. Two-factor SSH would solve this issue.<\/p>\n<p>Again, this is a very edge case solution, and will probably cause more issues than it prevents, but if you\u2019re serious about locking everything down, we\u2019ll show you how.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"How_to_Enable_Two_Factor_for_SSH\"><\/span>How to Enable Two Factor for SSH<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To handle two factor requests, we\u2019ll use Google\u2019s Pluggable Authentication Module (PAM), which works with Authy and Google Authenticator. Install it from your distro\u2019s package manager:<\/p>\n<pre>sudo apt-get install libpam-google-authenticator<\/pre>\n<p>Then, run this initialization command:<\/p>\n<pre>google-authenticator<\/pre>\n<p>Answer yes to the first question about having authentication tokens be time based. This is more secure. Your terminal will then be flooded with a gigantic QR code, and you\u2019ll likely have to zoom out a bit.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" alignnone wp-image-1991 size-full\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/09\/02e7707f.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Gigantic QR code.\" width=\"700\" height=\"501\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Open up your authenticator <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>, and scan your code (not the screenshot). Your app should sync, and start outputting six-digit codes that change every 30 seconds.<\/p>\n<p>You\u2019ll also want to make a note of all of the additional output, including the secret key and emergency scratch codes. These are used to gain access again to your server if you are locked out for any reason, though you should be warned that any issues related to misconfiguration can still leave you locked out permanently. We\u2019ll turn on two factor optionally for testing before making it mandatory.<\/p>\n<p>For the next questions, answer the following:<\/p>\n<ul>\n<li>Answer yes to updating your config, otherwise nothing will work.<\/li>\n<li>Answer yes to disallowing multiple uses of each token. They should expire once they are used.<\/li>\n<li>Answer no to extending the valid code window, as there isn\u2019t really any point to it.<\/li>\n<li>Answer yes to allow rate limiting, which will block out attackers after three attempts. Your last three codes will be valid for a minute and a half, so you won\u2019t have to worry about locking yourself out by being too slow.<\/li>\n<\/ul>\n<p>All of your configuration is saved to <code>~\/.google-authenticator<\/code>. You can copy this file to an additional server to apply the same configuration; don\u2019t rerun the initialization tool again, or you\u2019ll have to link two seperate devices.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Configure_SSH_to_Work_with_Google_PAM\"><\/span>Configure SSH to Work with Google PAM<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Open up the PAM configuration file at\u00a0<code>\/etc\/pam.d\/sshd<\/code>\u00a0in your favorite text editor, and add the following line at the very bottom:<\/p>\n<pre>auth required pam_google_authenticator.so nullok<\/pre>\n<p>The <code>nullok<\/code>\u00a0directive means that this is temporary, so two factor will be optional until you change this. Leave it this way for testing. You\u2019ll also want to find the line that contains <code>@include common-auth<\/code>, and comment this out with a <code>#<\/code>:<\/p>\n<pre># Standard Un*x authentication.&#13;\n#@include common-auth<\/pre>\n<p>This turns off password-based authentication, which you don\u2019t want.<\/p>\n<p>Next, open up SSH\u2019s settings at\u00a0<code>\/etc\/ssh\/sshd_config<\/code>. Find the <code>ChallengeResponseAuthentication<\/code>\u00a0option, and turn it on:<\/p>\n<pre># Change to yes to enable challenge-response passwords (beware issues with&#13;\n# some PAM modules and threads)&#13;\nChallengeResponseAuthentication yes<\/pre>\n<p>This enables 2FA, however, SSH keys override 2FA by default, so you\u2019ll have to fix that by adding the following line to the end of\u00a0<code>sshd_config<\/code>:<\/p>\n<pre>AuthenticationMethods publickey,keyboard-interactive<\/pre>\n<p>This requires a public key and \u201ckeyboard-interactive,\u201d which is the prompt that asks you for your two factor code.<\/p>\n<p>SSH is now configured, so you can restart <code>sshd<\/code>\u00a0to turn it on these new settings:<\/p>\n<pre>sudo systemctl restart sshd.service<\/pre>\n<p>This won\u2019t close your open connection, so you should do any connection testing in a separate terminal tab. Open a new tab, and try to connect to your server. You should see a prompt asking for a verification code. Enter in one from your phone, and if everything is linked properly, it should work. If it doesn\u2019t, you should still be able to access the account by leaving it blank.<\/p>\n<p>If everything works properly, and you\u2019ve double-checked that there are no issues with signing in, you can remove the \u201c<code>nullok<\/code>\u201d directive in <code>\/etc\/pam.d\/sshd<\/code>\u00a0to make 2FA mandatory.<\/p>\n<p>If you lose access, you can still log in using the emergency codes given to you when you configured PAM, and the secret key should allow you to relink a TOTP app should yours become unlinked for any reason.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Add_Access_for_Service_Accounts\"><\/span>Add Access for Service Accounts<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you have a service account that needs to access your server (for example, <code>rsync<\/code>), you must disable 2FA for that account. This is pretty easy to do; first, we\u2019ll want to make a new group to add service accounts to:<\/p>\n<pre>sudo groupadd service<\/pre>\n<p>Then add the user to that group:<\/p>\n<pre>sudo useradd &lt;username&gt;&#13;\nsudo usermod -a -G service &lt;username&gt;<\/pre>\n<p>Next, open up the PAM configuration at <code>\/etc\/pam.d\/sshd<\/code>, and add the following line:<\/p>\n<pre>auth [success=done default=ignore] pam_succeed_if.so user ingroup service<\/pre>\n<p>Note that this does allow access to your server without the 2FA, but if the user isn\u2019t root it may not be a huge deal.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/1986\/how-to-enable-two-factor-for-ssh-logins\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Enable Two Factor for SSH Logins \u2013 CloudSavvy IT&#8221; Shutterstock\/TATSIANAMA If you really want to lock down your cloud server, you can enable two-factor authentication for SSH in the same way you would add it to your Gmail account, preventing anyone from gaining access if they\u2019ve stolen your SSH private key. Is This&#8230;<\/p>\n","protected":false},"author":1,"featured_media":364945,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/10\/c50db96f.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-364944","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/364944","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=364944"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/364944\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/364945"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=364944"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=364944"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=364944"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}