{"id":2204,"date":"2024-01-04T14:02:40","date_gmt":"2024-01-04T08:32:40","guid":{"rendered":"https:\/\/www.veeble.org\/kb\/?p=2204"},"modified":"2025-03-10T10:48:33","modified_gmt":"2025-03-10T05:18:33","slug":"setting-up-google-2fa-for-openssh","status":"publish","type":"post","link":"https:\/\/www.veeble.com\/kb\/setting-up-google-2fa-for-openssh\/","title":{"rendered":"Setting up Google 2 Factor Authentication for\u00a0OpenSSH"},"content":{"rendered":"\n
\"Setting<\/a><\/figure>\n\n\n\n

In the ever-evolving landscape of cybersecurity<\/a>, we face a constant challenge to fortify systems against potential threats. One pivotal aspect of this defense is the implementation of Two-Factor Authentication (2FA)<\/a> for OpenSSH, an essential tool for securing remote access to servers<\/a>. In this article, I will share my journey of setting up Google 2FA for OpenSSH<\/a>, detailing the steps and considerations involved. By incorporating this additional layer of authentication, we can significantly enhance the security posture of our server infrastructure.<\/p>\n\n\n

1. Install the Google authenticator<\/h4>\n\n\n

The very first step is installing the Google Authenticator<\/a> on the server. For this install the ‘libpam-google-authenticator’ package to enable the Google Authenticator PAM module.<\/p>\n\n\n\n

root@ervintest:~# apt-get install openssh-server libpam-google-authenticator<\/code><\/pre>\n\n\n
2: Configure OpenSSH<\/h4>\n\n\n
Edit the SSH daemon configuration file to enable PAM <\/a>authentication. Open the ‘\/etc\/ssh\/sshd_config’ file with your preferred text editor.<\/p>\n\n\n\n
root@ervintest:~# vi \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n
Ensure the following lines are uncommented:<\/p>\n\n\n\n
ChallengeResponseAuthentication yes<\/code><\/pre>\n\n\n\n
Save and close the file, then restart the SSH service:<\/p>\n\n\n\n
root@ervintest:~# service ssh restart<\/code><\/pre>\n\n\n
3: Configure Google Authenticator<\/h4>\n\n\n
Run the following command to configure the Google Authenticator for your user account:<\/p>\n\n\n\n
root@ervintest:~# google-authenticator<\/code><\/pre>\n\n\n\n
Follow the on-screen instructions to set up 2FA. This process includes scanning a QR code with the Google Authenticator app on your mobile device.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
You will see a secret key and numerous “emergency scratch codes” when you use Google Authenticator. If your secret key is lost, you can only use emergency codes once, so make sure you write them down and save them somewhere safe.<\/p>\n\n\n
4: Adjust PAM Configuration<\/h4>\n\n\n
Edit the ‘\/etc\/pam.d\/sshd’ file to include Google Authenticator. Open the file with your text editor:<\/p>\n\n\n\n
root@ervintest:~# vi \/etc\/pam.d\/sshd<\/code><\/pre>\n\n\n\n
Add the following line at the top:<\/p>\n\n\n\n
auth required pam_google_authenticator.so<\/a><\/code><\/pre>\n\n\n\n
Save and close the file.<\/p>\n\n\n
5: Restart SSH Service<\/h4>\n\n\n
 Restart the SSH service once again to apply the changes:<\/p>\n\n\n\n
root@ervintest:~# service ssh restart<\/code><\/pre>\n\n\n
6.  Using Google Authenticator app<\/h4>\n\n\n
Utilize the Google Authenticator app<\/a> on your iPhone, Android, or Blackberry device to enter a secret key and generate a verification code. Also to complete it, in the Google Authenticator app, you can scan the bar code  found on the url in the above image<\/a><\/p>\n\n\n
7. Testing Two-Factor Authentication<\/h4>\n\n\n
After setting up two-factor authentication for OpenSSH, you can test it by trying to access your server from a remote computer. You will also be asked for a verification token from the Google Authenticator app on your mobile device along with your password.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
\n
<\/p>\nCongratulations! You have successfully configured Google 2FA for OpenSSH on your server. This additional layer of security significantly enhances the protection of your system, ensuring that only authorized users with both a password and a time-based one-time password (TOTP) from the Google Authenticator app can access the server. Stay secure!<\/cite><\/blockquote>\n\n\n\n
<\/div>\n\n\n\n
Deploy Faster, Optimize Costs \u2013 AWS Hosting Simplified by Veeble!<\/h3>
Maximize ROI with hassle-free AWS hosting. We optimize costs, ensure compliance, and provide round-the-clock support\u2014so you can scale confidently without technical headaches.<\/p><\/div>
Choose Your Plan<\/path><\/svg><\/a><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
In the ever-evolving landscape of cybersecurity, we face a constant challenge to fortify systems against potential threats. One pivotal aspect of this defense is […]<\/p>\n","protected":false},"author":9,"featured_media":7964,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5,9],"tags":[],"class_list":["post-2204","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-firewallsecurity"],"uagb_featured_image_src":{"full":["https:\/\/www.veeble.com\/kb\/wp-content\/uploads\/2024\/01\/Setting-up-Google-2-Factor-Authentication-for-OpenSSH.jpg",1366,768,false],"thumbnail":["https:\/\/www.veeble.com\/kb\/wp-content\/uploads\/2024\/01\/Setting-up-Google-2-Factor-Authentication-for-OpenSSH-150x150.jpg",150,150,true],"medium":["https:\/\/www.veeble.com\/kb\/wp-content\/uploads\/2024\/01\/Setting-up-Google-2-Factor-Authentication-for-OpenSSH-300x169.jpg",300,169,true],"medium_large":["https:\/\/www.veeble.com\/kb\/wp-content\/uploads\/2024\/01\/Setting-up-Google-2-Factor-Authentication-for-OpenSSH-768x432.jpg",768,432,true],"large":["https:\/\/www.veeble.com\/kb\/wp-content\/uploads\/2024\/01\/Setting-up-Google-2-Factor-Authentication-for-OpenSSH-1024x576.jpg",1024,576,true],"1536x1536":["https:\/\/www.veeble.com\/kb\/wp-content\/uploads\/2024\/01\/Setting-up-Google-2-Factor-Authentication-for-OpenSSH.jpg",1366,768,false],"2048x2048":["https:\/\/www.veeble.com\/kb\/wp-content\/uploads\/2024\/01\/Setting-up-Google-2-Factor-Authentication-for-OpenSSH.jpg",1366,768,false]},"uagb_author_info":{"display_name":"Nayana Nair","author_link":"https:\/\/www.veeble.com\/kb\/author\/nayana\/"},"uagb_comment_info":0,"uagb_excerpt":"In the ever-evolving landscape of cybersecurity, we face a constant challenge to fortify systems against potential threats. One pivotal aspect of this defense is […]","_links":{"self":[{"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/posts\/2204","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/comments?post=2204"}],"version-history":[{"count":10,"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/posts\/2204\/revisions"}],"predecessor-version":[{"id":7965,"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/posts\/2204\/revisions\/7965"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/media\/7964"}],"wp:attachment":[{"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/media?parent=2204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/categories?post=2204"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.veeble.com\/kb\/wp-json\/wp\/v2\/tags?post=2204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}