Otto  background

Linux Hack of the Week #9: Using Google Authenticator for 2FA

Connect With Us

Start now, and patch, configure, and control all your endpoints in just 15 minutes.

The implementation of two-factor authentication (2FA) is one of the simplest ways to make a huge improvement in the security of your systems. There are a number of ways to implement it such as email, text messages, and applications. Google has done a great job of creating a two-factor authentication app that can be integrated into a number of different applications.

In this week’s hack, I’ll lay out the steps needed to configure 2FA for use with SSH on Linux servers. Google provides a module to use with the Linux Pluggable Authentication Module (PAM) framework.

Google Authenticator app installation

First, you will want to install the Google Authenticator app on your mobile device. This can be found in the app store on your device:

For this demo, I am using Fedora 28. With any luck, all of these steps should work on Red Hat, CentOS, and Fedora. To install the module run:

[joe@fedora28 ~]$ sudo dnf install google-authenticator

Next, configure the application by running google-authenticator:

It will print a QR code out on the console to scan with the mobile application. You can also manually enter the codes printed out, but I find scanning always works.

Update PAM and configuration

Now, you will need to update PAM to require 2FA for ssh connections. Edit the file /etc/pam/sshd:

[joe@fedora28 ~]$ vi /etc/pam.d/sshd

 

Add the option:

auth       required  pam_google_authenticator.so nullok

 

What the option nullok does is allow users without 2FA to login and create their QR code and initialize the Google Authenticator app. Once all users have configured the app, remove nullok:

Next, edit /etc/ssh/sshd_config and change the option ChallengeResponseAuthentication from no to yes:

Now, restart sshd and try to connect, it will prompt you for a verification code. This is a six digit code found in the Google Authenticator app:

[joe@fedora28 ~]$ sudo service sshd restart

[joe@fedora28 ~]$ ssh you@localhost

 

The 2FA takeaway

With that simple configuration change, you have now added significant improvements in security to your Linux hosts. Did you know that the Automox console supports 2FA? It is as simple as turning on the option in the UI. Check out this blog post for a quick walkthrough of the two different types of 2FA Automox supports.


Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic

loading...