T

he implementation of two-factor authentication (2FA) is one of the simplest ways to make a huge improvement in the security of your systems. There are a number of ways to implement it such as email, text messages, and applications. Google has done a great job of creating a two-factor authentication app that can be integrated into a number of different applications.

In this week’s hack, I’ll lay out the steps needed to configure 2FA for use with SSH on Linux servers. Google provides a module to use with the Linux Pluggable Authentication Module (PAM) framework.

Installation

First, you will want to install the Google Authenticator app on your mobile device. This can be found in the app store on your device:

For this demo, I am using Fedora 28. With any luck, all of these steps should work on Red Hat, CentOS, and Fedora. To install the module run:

[joe@fedora28 ~]$ sudo dnf install google-authenticator

Next, configure the application by running google-authenticator:

It will print a QR code out on the console to scan with the mobile application. You can also manually enter the codes printed out, but I find scanning always works.

Configuration

Now, you will need to update PAM to require 2FA for ssh connections. Edit the file /etc/pam/sshd:

[joe@fedora28 ~]$ vi /etc/pam.d/sshd
 

Add the option:

auth       required  pam_google_authenticator.so nullok
 

What the option nullok does is allow users without 2FA to login and create their QR code and initialize the Google Authenticator app. Once all users have configured the app, remove nullok:

Next, edit /etc/ssh/sshd_config and change the option ChallengeResponseAuthentication from no to yes:

Now, restart sshd and try to connect, it will prompt you for a verification code. This is a six digit code found in the Google Authenticator app:

[joe@fedora28 ~]$ sudo service sshd restart
[joe@fedora28 ~]$ ssh you@localhost
 

Conclusion

With that simple configuration change, you have now added significant improvements in security to your Linux hosts. Did you know that the Automox console supports 2FA? It is as simple as turning on the option in the UI. Check out this blog post for a quick walkthrough of the two different types of 2FA Automox supports. As always, if you have any questions feel free to reach out: support@automox.com.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

More posts like this:

Linux
# of endpoints

15-day free trial. No credit card required.

By submitting this form you agree to our terms of service.

Already have an account?