{"id":191,"date":"2024-10-28T12:40:52","date_gmt":"2024-10-28T05:40:52","guid":{"rendered":"http:\/\/nitirat.ddns.net\/wordpress\/?p=191"},"modified":"2024-10-28T12:40:53","modified_gmt":"2024-10-28T05:40:53","slug":"how-to-configure-ssh-two-factor-authentication-on-ubuntu-22-04","status":"publish","type":"post","link":"http:\/\/nitirat.ddns.net\/wordpress\/?p=191","title":{"rendered":"How to configure SSH Two Factor Authentication on Ubuntu 22.04"},"content":{"rendered":"\n

Step 1: Install and Configure Google Authenticator<\/strong><\/p>\n\n\n\n

sudo apt install libpam-google-authenticator -y<\/code><\/pre>\n\n\n\n
Step 2: Generate Security Code<\/strong><\/p>\n\n\n\n
google-authenticator<\/code><\/pre>\n\n\n\n
After running the above command, the system will display a link and QR code as shown below:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Step 3: Generate Security Code<\/strong><\/p>\n\n\n\n
Code confirmed\nYour emergency scratch codes are:\n  32788307\n  11480031\n  78992160\n  60171886\n  58985147\n\nDo you want me to update your \"\/root\/.google_authenticator\" file? (y\/n) y<\/mark><\/strong>\n\nDo you want to disallow multiple uses of the same authentication\ntoken? This restricts you to one login about every 30s, but it increases\nyour chances to notice or even prevent man-in-the-middle attacks (y\/n) y<\/mark><\/strong>\n\nBy default, a new token is generated every 30 seconds by the mobile app.\nIn order to compensate for possible time-skew between the client and the server,\nwe allow an extra token before and after the current time. This allows for a\ntime skew of up to 30 seconds between authentication server and client. If you\nexperience problems with poor time synchronization, you can increase the window\nfrom its default size of 3 permitted codes (one previous code, the current\ncode, the next code) to 17 permitted codes (the 8 previous codes, the current\ncode, and the 8 next codes). This will permit for a time skew of up to 4 minutes\nbetween client and server.\nDo you want to do so? (y\/n) y<\/mark><\/strong>\n\nIf the computer that you are logging into isn't hardened against brute-force\nlogin attempts, you can enable rate-limiting for the authentication module.\nBy default, this limits attackers to no more than 3 login attempts every 30s.\nDo you want to enable rate-limiting? (y\/n) y<\/mark><\/strong><\/code><\/pre>\n\n\n\n
Step 4: Configure OpenSSH to use 2FA<\/strong><\/p>\n\n\n\n
First, backup the file with the command:<\/p>\n\n\n\n
sudo cp \/etc\/pam.d\/sshd \/etc\/pam.d\/sshd.bak<\/code><\/pre>\n\n\n\n
Next, you edit the file with the command:<\/p>\n\n\n\n
sudo nano \/etc\/pam.d\/sshd <\/code><\/pre>\n\n\n\n
Add the content below at the end of the file and save it.<\/p>\n\n\n\n
auth required pam_google_authenticator.so nullok\nauth required pam_permit.so<\/code><\/pre>\n\n\n\n
Edit the configuration file at\u00a0\/etc\/ssh\/sshd_config<\/em><\/strong><\/p>\n\n\n\n
sudo nano \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Restart Service<\/p>\n\n\n\n
sudo systemctl restart sshd.service<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Step 1: Install and Configure Google Authenticator Step 2: Generate Security Code After running the above command, the system will display a link and QR code as shown below: Step 3: Generate Security Code Step 4: Configure OpenSSH to use 2FA First, backup the file with the command: Next, you edit the file with the […]<\/p>\n","protected":false},"author":1,"featured_media":119,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[6],"tags":[],"class_list":["post-191","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ubuntu"],"_links":{"self":[{"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/191","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=191"}],"version-history":[{"count":1,"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/191\/revisions"}],"predecessor-version":[{"id":194,"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/191\/revisions\/194"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=\/wp\/v2\/media\/119"}],"wp:attachment":[{"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=191"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/nitirat.ddns.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}