How to enable two-factor (2FA) authentication for SSH in Linux ?
This tutorial will guide you through the process of setting up two-factor authentication for SSH on Linux. SSH is a widely used protocol for remote access and management of Linux servers, commonly used by administrators. SSH offers two authentication methods: password authentication and public key authentication. Public key authentication is considered more secure and is recommended for SSH access. However, if you still rely on password authentication, it is highly recommended to enable two-factor authentication to enhance security. Enabling two-factor authentication for SSH in Linux involves configuring the SSH server to require a second factor of authentication, such as a time-based one-time password (TOTP) generated by a mobile app or hardware token.
The following are the steps to enable two-factor authentication for SSH on Linux:
(Optional) Create a temporary admin user
Synchronize the time
Install Google Authenticator
Install the Authenticator app on a mobile device
Add the Linux system to the Authenticator app
Configure two-factor authentication for SSH
Verify the two-factor authentication setup
(Optional) Enable two-factor authentication for public key authentication
Troubleshoot any issues
Conclude the setup process.
Two-factor authentication (2FA) adds an additional layer of security to the login process by requiring a one-time code in addition to a username and password. This code is typically generated by an authenticator app installed on a mobile device. For this guide, we will be using Ubuntu Linux and the Google Authenticator app on a smartphone to generate a time-based one-time password (TOTP). However, the same process can be applied to other Linux distributions and alternative authenticator apps can be used instead of Google.
1. (Optional) Create a temporary admin user
It's important to note that this step is not necessary, but rather optional. Creating a temporary admin user on the Linux system can prevent permanent lockout in the event of an incorrect 2FA setup, particularly if SSH access is the only means of access to the system. However, if you have alternative methods to access your Linux system (such as KVM), you can skip this step. On the other hand, if your Linux system is located in the cloud and SSH is the only option available, it's highly recommended to create a temporary admin user.
To create a temporary admin user, execute the following commands:
sudo adduser adminlalatendu
sudo usermod -aG sudo adminlalatendu
After confirming that the 2FA setup is functioning correctly, it's recommended to delete the temporary admin user to ensure the system's security
2. Synchronize the time
Before enabling 2FA, it is really important that the clocks on your Linux system and mobile device are synchronized, which means that both should have the same time in their clocks. However, a nominal time difference of a few seconds (e.g., 30 seconds or less) is usually acceptable.
The best way to keep the time synchronized is using the network time protocol (NTP). By default, Ubuntu uses timedatectl/timesyncd for time synchronization, and we will stick with the default. To verify whether the NTP service is enabled and the system's clock is properly synchronized, use the timedatectl command.
If you observe "System clock synchronized: no" and "NTP service: inactive" on the screen, execute the following command:
sudo timedatectl set-ntp true
Executing this command activates the NTP service and syncs the system's clock. After running this command, you should re-run the timedatectl command to ensure that the output matches the screenshot provided. After executing the timedatectl command, you will observe that the system clock is now accurately synchronized. Similarly, you can configure your mobile device to utilize network-provided time instead of manually setting the time.