02-21-2019, 12:40 AM
Set up two-factor authentication for SSH on Fedora
<div style="margin: 5px 5% 10px 5%;"><img src="http://www.sickgaming.net/blog/wp-content/uploads/2019/02/set-up-two-factor-authentication-for-ssh-on-fedora.png" width="240" height="163" title="" alt="" /></div><div><p>Every day there seems to be a security breach reported in the news where our data is at risk. Despite the fact that SSH is a secure way to connect remotely to a system, you can still make it even more secure. This article will show you how.</p>
<p> <span id="more-25138"></span> </p>
<p>That’s where two-factor authentication (2FA) comes in. Even if you disable passwords and only allow SSH connections using public and private keys, an unauthorized user could still gain access to your system if they steal your keys.</p>
<p>With two-factor authentication, you can’t connect to a server with just your SSH keys. You also need to provide the randomly generated number displayed by an authenticator application on a mobile phone.</p>
<p>The Time-based One-time Password algorithm (TOTP) is the method shown in this article. <a href="https://en.wikipedia.org/wiki/Google_Authenticator">Google Authenticator</a> is used as the server application. Google Authenticator is available by default in Fedora.</p>
<p>For your mobile phone, you can use any two-way authentication application that is compatible with TOTP. There are numerous free applications for Android or IOS that work with TOTP and Google Authenticator. This article uses <a href="https://freeotp.github.io/">FreeOTP</a> as an example.</p>
<h2>Install and set up Google Authenticator</h2>
<p>First, install the Google Authenticator package on your server.</p>
<pre class="wp-block-preformatted">$ sudo dnf install -y google-authenticator<br /></pre>
<p>Run the application.</p>
<pre class="wp-block-preformatted">$ google-authenticator<br /></pre>
<p>The application presents you with a series of questions. The snippets below show you how to answer for a reasonably secure setup.</p>
<pre class="wp-block-preformatted">Do you want authentication tokens to be time-based (y/n) <strong>y</strong><br />Do you want me to update your "/home/user/.google_authenticator" file (y/n)? <strong>y</strong><br /></pre>
<p>The app provides you with a secret key, verification code, and recovery codes. Keep these in a secure, safe location. The recovery codes are the <strong>only</strong> way to access your server if you lose your mobile phone.</p>
<h2 id="mce_1">Set up mobile phone authentication</h2>
<p>Install the authenticator application (FreeOTP) on your mobile phone. You can find it in Google Play if you have an Android phone, or in the iTunes store for an Apple iPhone.</p>
<p>A QR code is displayed on the screen. Open up the FreeOTP app on your mobile phone. To add a new account, select the QR code shaped tool at the top on the app, and then scan the QR code. After the setup is complete, you’ll have to provide the random number generated by the authenticator application every time you connect to your server remotely.</p>
<h2>Finish configuration</h2>
<p>The application asks further questions. The example below shows you how to answer to set up a reasonably secure configuration.</p>
<pre class="wp-block-preformatted">Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) <strong>y</strong><br />By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens). <br />Do you want to do so? (y/n) <strong>n</strong><br />If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.<br />Do you want to enable rate-limiting (y/n) <strong>y</strong></pre>
<p>Now you have to set up SSH to take advantage of the new two-way authentication.</p>
<h2>Configure SSH</h2>
<p>Before completing this step, <strong>make sure you’ve already established a working SSH connection</strong> using public SSH keys, since we’ll be disabling password connections. If there is a problem or mistake, having a connection will allow you to fix the problem.</p>
<p>On your server, use <em><a href="https://fedoramagazine.org/howto-use-sudo/">sudo</a></em> to edit the <em>/etc/pam.d/sshd</em> file.</p>
<pre class="wp-block-preformatted">$ sudo vi /etc/pam.d/ssh<br /></pre>
<p>Comment out the <em>auth substack password-auth</em> line:</p>
<pre class="wp-block-preformatted">#auth substack password-auth<br /></pre>
<p>Add the following line to the bottom of the file.</p>
<pre class="wp-block-preformatted">auth sufficient pam_google_authenticator.so<br /></pre>
<p>Save and close the file. Next, edit the /etc/ssh/sshd_config file.</p>
<pre class="wp-block-preformatted">$ sudo vi /etc/ssh/sshd_config<br /></pre>
<p>Look for the <em>ChallengeResponseAuthentication</em> line and change it to <em>yes</em>.</p>
<pre class="wp-block-preformatted">ChallengeResponseAuthentication yes<br /></pre>
<p>Look for the <em>PasswordAuthentication</em> line and change it to <em>no</em>.</p>
<pre class="wp-block-preformatted">PasswordAuthentication no<br /></pre>
<p>Add the following line to the bottom of the file.</p>
<pre class="wp-block-preformatted">AuthenticationMethods publickey,password publickey,keyboard-interactive<br /></pre>
<p>Save and close the file, and then restart SSH.</p>
<pre class="wp-block-preformatted">$ sudo systemctl restart sshd</pre>
<h2>Testing your two-factor authentication</h2>
<p>When you attempt to connect to your server you’re now prompted for a verification code.</p>
<pre class="wp-block-preformatted">[user@client ~]$ ssh [email protected]<br />Verification code:</pre>
<p>The verification code is randomly generated by your authenticator application on your mobile phone. Since this number changes every few seconds, you need to enter it before it changes.</p>
<figure class="wp-block-image"><img src="http://www.sickgaming.net/blog/wp-content/uploads/2019/02/set-up-two-factor-authentication-for-ssh-on-fedora.png" alt="" class="wp-image-25156" /></figure>
<p>If you do not enter the verification code, you won’t be able to access the system, and you’ll get a permission denied error:</p>
<pre class="wp-block-code"> <div class="codecolorer-container text default" style="overflow:auto;border:1px solid #9F9F9F;width:435px"><div class="text codecolorer" style="padding:5px;font:normal 12px/1.4em Monaco, Lucida Console, monospace">[user@client ~]$ ssh [email protected]<br />
Verification code:<br />
Verification code:<br />
Verification code:<br />
Permission denied (keyboard-interactive).<br />
[user@client ~]$</div></div> </pre>
<h2>Conclusion</h2>
<p>By adding this simple two-way authentication, you’ve now made it much more difficult for an unauthorized user to gain access to your server.</p>
</div>
<div style="margin: 5px 5% 10px 5%;"><img src="http://www.sickgaming.net/blog/wp-content/uploads/2019/02/set-up-two-factor-authentication-for-ssh-on-fedora.png" width="240" height="163" title="" alt="" /></div><div><p>Every day there seems to be a security breach reported in the news where our data is at risk. Despite the fact that SSH is a secure way to connect remotely to a system, you can still make it even more secure. This article will show you how.</p>
<p> <span id="more-25138"></span> </p>
<p>That’s where two-factor authentication (2FA) comes in. Even if you disable passwords and only allow SSH connections using public and private keys, an unauthorized user could still gain access to your system if they steal your keys.</p>
<p>With two-factor authentication, you can’t connect to a server with just your SSH keys. You also need to provide the randomly generated number displayed by an authenticator application on a mobile phone.</p>
<p>The Time-based One-time Password algorithm (TOTP) is the method shown in this article. <a href="https://en.wikipedia.org/wiki/Google_Authenticator">Google Authenticator</a> is used as the server application. Google Authenticator is available by default in Fedora.</p>
<p>For your mobile phone, you can use any two-way authentication application that is compatible with TOTP. There are numerous free applications for Android or IOS that work with TOTP and Google Authenticator. This article uses <a href="https://freeotp.github.io/">FreeOTP</a> as an example.</p>
<h2>Install and set up Google Authenticator</h2>
<p>First, install the Google Authenticator package on your server.</p>
<pre class="wp-block-preformatted">$ sudo dnf install -y google-authenticator<br /></pre>
<p>Run the application.</p>
<pre class="wp-block-preformatted">$ google-authenticator<br /></pre>
<p>The application presents you with a series of questions. The snippets below show you how to answer for a reasonably secure setup.</p>
<pre class="wp-block-preformatted">Do you want authentication tokens to be time-based (y/n) <strong>y</strong><br />Do you want me to update your "/home/user/.google_authenticator" file (y/n)? <strong>y</strong><br /></pre>
<p>The app provides you with a secret key, verification code, and recovery codes. Keep these in a secure, safe location. The recovery codes are the <strong>only</strong> way to access your server if you lose your mobile phone.</p>
<h2 id="mce_1">Set up mobile phone authentication</h2>
<p>Install the authenticator application (FreeOTP) on your mobile phone. You can find it in Google Play if you have an Android phone, or in the iTunes store for an Apple iPhone.</p>
<p>A QR code is displayed on the screen. Open up the FreeOTP app on your mobile phone. To add a new account, select the QR code shaped tool at the top on the app, and then scan the QR code. After the setup is complete, you’ll have to provide the random number generated by the authenticator application every time you connect to your server remotely.</p>
<h2>Finish configuration</h2>
<p>The application asks further questions. The example below shows you how to answer to set up a reasonably secure configuration.</p>
<pre class="wp-block-preformatted">Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) <strong>y</strong><br />By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens). <br />Do you want to do so? (y/n) <strong>n</strong><br />If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.<br />Do you want to enable rate-limiting (y/n) <strong>y</strong></pre>
<p>Now you have to set up SSH to take advantage of the new two-way authentication.</p>
<h2>Configure SSH</h2>
<p>Before completing this step, <strong>make sure you’ve already established a working SSH connection</strong> using public SSH keys, since we’ll be disabling password connections. If there is a problem or mistake, having a connection will allow you to fix the problem.</p>
<p>On your server, use <em><a href="https://fedoramagazine.org/howto-use-sudo/">sudo</a></em> to edit the <em>/etc/pam.d/sshd</em> file.</p>
<pre class="wp-block-preformatted">$ sudo vi /etc/pam.d/ssh<br /></pre>
<p>Comment out the <em>auth substack password-auth</em> line:</p>
<pre class="wp-block-preformatted">#auth substack password-auth<br /></pre>
<p>Add the following line to the bottom of the file.</p>
<pre class="wp-block-preformatted">auth sufficient pam_google_authenticator.so<br /></pre>
<p>Save and close the file. Next, edit the /etc/ssh/sshd_config file.</p>
<pre class="wp-block-preformatted">$ sudo vi /etc/ssh/sshd_config<br /></pre>
<p>Look for the <em>ChallengeResponseAuthentication</em> line and change it to <em>yes</em>.</p>
<pre class="wp-block-preformatted">ChallengeResponseAuthentication yes<br /></pre>
<p>Look for the <em>PasswordAuthentication</em> line and change it to <em>no</em>.</p>
<pre class="wp-block-preformatted">PasswordAuthentication no<br /></pre>
<p>Add the following line to the bottom of the file.</p>
<pre class="wp-block-preformatted">AuthenticationMethods publickey,password publickey,keyboard-interactive<br /></pre>
<p>Save and close the file, and then restart SSH.</p>
<pre class="wp-block-preformatted">$ sudo systemctl restart sshd</pre>
<h2>Testing your two-factor authentication</h2>
<p>When you attempt to connect to your server you’re now prompted for a verification code.</p>
<pre class="wp-block-preformatted">[user@client ~]$ ssh [email protected]<br />Verification code:</pre>
<p>The verification code is randomly generated by your authenticator application on your mobile phone. Since this number changes every few seconds, you need to enter it before it changes.</p>
<figure class="wp-block-image"><img src="http://www.sickgaming.net/blog/wp-content/uploads/2019/02/set-up-two-factor-authentication-for-ssh-on-fedora.png" alt="" class="wp-image-25156" /></figure>
<p>If you do not enter the verification code, you won’t be able to access the system, and you’ll get a permission denied error:</p>
<pre class="wp-block-code"> <div class="codecolorer-container text default" style="overflow:auto;border:1px solid #9F9F9F;width:435px"><div class="text codecolorer" style="padding:5px;font:normal 12px/1.4em Monaco, Lucida Console, monospace">[user@client ~]$ ssh [email protected]<br />
Verification code:<br />
Verification code:<br />
Verification code:<br />
Permission denied (keyboard-interactive).<br />
[user@client ~]$</div></div> </pre>
<h2>Conclusion</h2>
<p>By adding this simple two-way authentication, you’ve now made it much more difficult for an unauthorized user to gain access to your server.</p>
</div>