Securing your Linux servers is more critical than ever, and one of the simplest ways to dramatically improve login security is by enabling Multi-Factor Authentication (MFA). This guide walks you through setting up MFA on a fresh Ubuntu 24.04 installation using Google Authenticator, ensuring your SSH access is protected against unauthorized access.
đ Table of Contents
What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (MFA) adds a critical layer of security to the login process by requiring users to provide an additional verification factor beyond just a password. Typically, this involves a Time-based One-Time Password (TOTP) generated by an app such as Google Authenticator or Microsoft Authenticator on a personal device.
The server and the authenticator app share a secret key and generate synchronized time-based tokens. When a user attempts to log in, the system prompts for a token generated by the authenticator app, ensuring that only someone with both the correct password (or SSH key) and the physical device can gain access.
My personal journey with MFA began over 25 years ago, when dedicated hardware tokens were required to securely access corporate VPNs from home. Today, MFA is an essential security measure used across industriesâfrom protecting work accounts to securing personal banking applications.
Why Use MFA for SSH?
A Brief History of Authentication
In the early days of computing, password-based authentication was considered sufficient. This was mainly because the computing power required to crack passwords through brute-force or dictionary attacks was expensive and not widely available.
As technology progressed and computing resources became more powerful and accessible, these attacks became both practical and increasingly common. This evolution exposed the inherent weaknesses of password-only security.
To address this, token-based authentication systems emerged in the mid-1980s. These early systems required users to possess a physical device that generated time-sensitive codesâan early form of what we now recognize as Multi-Factor Authentication (MFA).
Why MFA Makes Sense for SSH Today
Modern security best practices strongly recommend implementing MFA to protect critical systems like Linux servers accessed over SSH. Fortunately, integrating MFA with SSH is both simple and highly effective.
- â Flexible Authentication Options: Combine MFA with either password-based authentication, SSH key-based authentication, or both.
- â User-Specific Policies: SSH is versatile enough to apply different authentication methods for different users based on their needs.
- â Stronger Security: Even if a password or SSH key is compromised, MFA ensures an attacker cannot log in without the additional verification factor.
Implementing MFA on SSH should be considered a baseline security standard, not just an optional enhancement.
Setting Up MFA for SSH on Ubuntu
This guide assumes you are starting with a fresh Ubuntu 24.04 installation and have already configured SSH key-based authentication.
Step 1: Install Google Authenticator
First, ensure your system is up to date and install the Google Authenticator PAM module.
# Update and upgrade the system
sudo apt update && sudo apt upgrade -y
# Install Google Authenticator PAM module
sudo apt install libpam-google-authenticator -y
Step 2: Link User Accounts to the Authenticator App
Next, log in as the user account you want to secure with MFA and run the Google Authenticator setup:
google-authenticator
Follow the prompts to complete the setup:
- A QR code will be displayed. Scan it using an authenticator app (Google Authenticator, Microsoft Authenticator, etc.) on your mobile device.
- The app will start generating time-based one-time passwords (TOTPs).
- Backup codes will also be provided. Store them securely in case you lose access to your device.
Step 3: Configure SSH to Use MFA
Now, update your SSH and PAM configurations to enforce MFA.
1. Edit PAM Configuration
Open the PAM configuration for SSH:
sudo nano /etc/pam.d/sshd
Add the following line to enable Google Authenticator:
# Google Authenticator MFA
auth required pam_google_authenticator.so
To disable password-based authentication through PAM, comment out or remove the following line:
# @include common-auth
Note:
PAM (Pluggable Authentication Modules) is a flexible framework used on Linux systems to integrate various authentication methods. It allows services like SSH to support additional authentication mechanisms, including MFA.
2. Edit SSH Daemon Configuration
Open the SSH daemon configuration file:
sudo nano /etc/ssh/sshd_config
Update the following parameters to enforce MFA with public key authentication:
# Require public key and MFA
AuthenticationMethods publickey,keyboard-interactive
# Enable public key authentication
PubkeyAuthentication yes
# Enable PAM for MFA
UsePAM yes
ChallengeResponseAuthentication yes
# Disable password-based authentication
PasswordAuthentication no
Finally, restart the SSH service to apply the changes:
sudo systemctl restart ssh
Tip:
Keep your current SSH session open and test the new configuration in a separate terminal. This ensures that if thereâs a misconfiguration, you wonât be locked out of the server.
Final Thoughts
Enabling MFA for SSH is one of the easiest and most effective ways to harden your server against unauthorized access. With minimal configuration changes, you can significantly improve your security posture by requiring both something the user knows (a password or SSH key) and something the user has (the MFA device).
In todayâs threat landscape, enabling MFA is no longer just a best practiceâitâs a necessity.
đ New to SSH Security? Start Here!
Kick off your SSH hardening journey with Your First Steps to a Hardened SSH Server. Learn why securing sshd_config is critical and how to avoid common security pitfalls.
Drop a comment or reach outâweâre here to help. For more content like this, tools, and walkthroughs, visit my site at Sebos Technology.
Top comments (1)
Great!