linux

Using two-factor authentication with Ubuntu

 

Over time, traditional username and password authentication has proven insufficient to provide robust security for applications and systems. Usernames and passwords can be easily cracked with numerous hacking tools, leaving your system vulnerable to breaches. For this reason, any company or enterprise that takes security seriously must implement it 2-factor authentication.

Commonly known as UM (Multi-factor authentication), 2-factor authentication provides an additional level of security that requires users to provide certain details, such as codeor OTP (One-time password) before or after authentication with a regular username and password.

Today, several companies such as Google, Facebook, Twitterand AWSA few mention the ability for users to choose settings UM to further protect their accounts.

In this guide, we will show you how to use it Two-factor authentication with Ubuntu.

Step 1: Install the Google PAM package

Install first Google PAM package. PAM, an abbreviation of the words Pluggable Authentication Module, is a mechanism that provides an extra level of authentication for the Linux platform.

 

The package is Hosted Ubuntu archive, so continue and install it with the apt command as follows:

$ sudo apt install libpam-google-authenticator

Click when prompted 'Y' and press COME IN to continue the installation.

Install Google PAM on Ubuntu
Install Google PAM on Ubuntu

Step 2: Install Google Authenticator on your smartphone

In addition, you must install the Google Authenticator app your tablet or smartphone. The app will show you 6-digit OTP a code that is automatically renewed each 30 seconds.

Google Authenticator
Google Authenticator

Step 3: Configure Google PAM in Ubuntu

With Google Authenticator application in place, we will continue and configure the Google PAM package Ubuntu by editing /etc/pam.d/common-auth file as shown.

$ sudo vim /etc/pam.d/common-auth

Paste the line below into the file as shown.

auth required pam_google_authenticator.so
Configure PAM in Ubuntu
Configure PAM in Ubuntu

Save the file and exit.

Now run the following command from the beginning PAM.

$ google-authenticator

This raises a few questions on the screen of the terminal. First, you will be asked if you want the authentication tokens to be time-based.

Time-based authentication the tokens expire after a certain period of time. By default, this is after 30 seconds for which a new token is created. These tokens are considered more secure than non-time-based tokens and are therefore typed 'y' yes and hit COME IN.

Set up Google Authenticator
Set up Google Authenticator

Next, a QR code is displayed on the terminal below and just below it, some information is displayed. The information displayed includes:

  • The secret key
  • Verification code
  • Emergency scratch codes

You will need to save this information in a vault for later use. emergency codes are very useful if the authentication device is lost. If something happens to your authentication device, use codes.

Start Google Authenticator Application on your smart device and select ‘Scan the QR code‘to scan the displayed QR code.

Scan the QR code
Scan the QR code

NOTE: You need to maximize the terminal window to scan the entire QR code. Once the QR code is scanned, the application displays a six-digit OTP that changes every 30 seconds.

QR codes
QR codes

Then select 'y' update the Google Authentication file in your home folder.

At the next prompt, limit logging to only one log in each 30 every second to prevent attacks that may be due to man-in-the-middle attacks. So choose 'y'

Update Google Authenticator-File
Update Google Authenticator-File

Click at the next prompt 'n' prohibit extending the time skew between server and client. This is a safer option unless you have difficulty synchronizing times.

And finally, enable speed limit only 3 login attempts.

Enable speed limit
Enable speed limit

At this point, we have completed 2-factor authentication feature. In fact, if you run any sudo command, you will be asked to enter a verification code that you can get Google Authenticator.

Confirm Google Authentication
Confirm Google Authentication

You can confirm this by restarting and when you get to the login screen, you will be asked to enter a verification code.

Ubuntu Google Authentication Login
Ubuntu Google Authentication Login

Once you have entered your code Google Authenticator , just enter your password to access the system.

Ubuntu login password
Ubuntu login password

Step 4: Integrate SSH with Google Authenticator

If you plan to use SSH With Google PAM module, you need to integrate these two. You can achieve this in two ways.

SSH password authentication

Enable SSH open password authentication for regular user first by default SSH configuration file.

$ sudo vim /etc/ssh/sshd_config

And specify as the following attributes ‘Yeah’ as shown

Enable SSH password authentication
Enable SSH password authentication

Assign to Administrator ‘PermitRootLoginattribute 'yes'.

PermitRootLogin yes
Allow root login
Allow root login

Save the file and exit.

Edit next PAM rule SSH

$ sudo vim /etc/pam.d/sshd

Then paste the next line

auth   required   pam_google_authenticator.so
SSH PAM authentication
SSH PAM authentication

Finally, start SSH service for the changes to take effect.

$ sudo systemctl restart ssh

In the example below, we log in Ubuntu From a putty customer.

Ubuntu SSH login
Ubuntu SSH login

For SSH public key authentication

If you use public key authentication, repeat the steps above and add at the bottom of the line / etc / ssh / sshd_config file.

AuthenticationMethods publickey,keyboard-interactive

Please edit again PAM rule SSH daemon.

$ sudo vim /etc/pam.d/sshd

Then add the next line.

auth   required   pam_google_authenticator.so
SSH public key authentication
SSH public key authentication

Save the file and restart the SSH service as we saw earlier.

$ sudo systemctl restart ssh

And this brings us to the end of this article. We are happy to hear how it went.

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button