Securing Linux with Google Authenticator 2FA

Nowadays , securing your server against unauthorized access is more crucial than ever. One effective way to enhance security is by implementing Two-Factor Authentication (2FA). Google Authenticator, a popular 2FA tool, provides an additional layer of protection by requiring a time-based one-time password (TOTP) in addition to your usual login credentials. In this guide, we’ll walk you through the steps to set up Google 2FA on a Linux system, specifically for SSH access. By following these steps, you’ll bolster your server's defenses, making it much harder for intruders to gain unauthorized access. Let’s dive into the setup process and start securing your Linux environment with Google Authenticator .

Does Google OTP (One-Time Password) work offline?

Google OTP (One-Time Password) works offline. Once you’ve set up Google Authenticator and the QR code has been scanned, the app generates time-based codes based on the algorithm and the current time. These codes are produced on your phone independently of an internet connection, so you can use them even when you’re offline. However, keep in mind that you’ll need internet access initially to set up Google Authenticator and synchronize it with your server.

Let’s jump into the configuration

1. Install Google Authenticator

You need to install the Google Authenticator PAM module for SSH authentication.

Ubuntu/Debian:

sudo apt update
sudo apt-get install libpam-google-authenticator        

Redhat/CentOS:

sudo yum install epel-release
sudo yum update
sudo yum install google-authenticator        

2. Get Your QR Code

Generate a QR code to link your server with the Google Authenticator app on your phone. Make sure to log in with the user account you want to configure.

google-authenticator -t -f -d -w 3 -e 4 -r 10 -R 60        

• -t : Use TOTP verification
• -f : Write configuration to ~/.google_authenticator
• -d : Do not allow reuse of previously used tokens
• -w 3 : Allow a 3-token window
• -e 4 : Generate 4 emergency backup codes
• -r 10 -R 60 : Rate-limit to 10 logins every 60 seconds

Scan the QR code with your Google Authenticator app on your phone.

3. Configure PAM and SSH

Update the PAM and SSH configurations to require Google OTP for authentication.

Edit PAM configuration:

Add the following line to /etc/pam.d/sshd:

auth required pam_google_authenticator.so        

Update SSH configuration:

Edit /etc/ssh/sshd_config and ensure these lines are set:

ChallengeResponseAuthentication yes 
KbdInteractiveAuthentication yes        

Restart SSH service:

systemctl restart sshd        

Conclusion

By setting up Google 2FA on your Linux system, you add an extra layer of security to your SSH logins, making it significantly harder for unauthorized users to gain access. The process involves installing the necessary PAM module, generating a QR code, and configuring PAM and SSH to enforce OTP verification. With these steps, you'll ensure that only users with the correct authentication codes from their mobile devices can access your system. This added security measure helps safeguard your server against potential breaches and keeps your data more secure.

About Author?:

Hi ??, I’m Farshad Nick (Farshad nickfetrat)

• ?? I regularly write articles on packops.dev and packops.ir
• ?? Ask me about Devops?, Cloud?, Kubernetes?, Linux
• ?? How to reach me on my linkedin
• Here is my Github repo