library_booksKnowledgebase
publicBlog
chatOnline Chat
emailSubmit Ticket
menulogo
VPS Hostingexpand_more
VPS Solutionsexpand_more
Bare Metal
GPU Server
Companyexpand_more
Windows VPSWindows VPSWindows 11 VPSWindows 11 VPSWindows 10 VPSWindows 10 VPSWindows 7 vpsWindows 7 VPSWindows ServerWindows ServerLinux VPSLinux VPSUbuntu VPSUbuntu VPSDebian VPSDebian VPSCentOS VPSCentOS VPSVDS ServerVDS ServerCloud VPSCloud VPSHyper-V VPSHyper-V VPSKVM VPSKVM VPSCloud PCCloud PC
VPS USAVPS USASSD VPSSSD VPSNVMe VPSNVMe VPSSEO VPSSEO VPSForex VPSForex VPSCheap RDPCheap RDPUnmetered VPSUnmetered VPSVM HostingVM HostingVPS Website HostingVPS Website
About UsAbout UsData CenterData CenterAffiliateAffiliate

How to Set up Two-Factor Authentication for Linux Server

Introduction

Setting up two-factor authentication (2FA) for a Linux server provides an additional layer of security and helps protect against unauthorized access. With 2FA, users are required to provide two forms of identification to access the server. This combination makes it significantly more difficult for attackers to gain access to the server, even if they manage to obtain or crack a user's password.

When implementing 2FA for a Linux server, there are various methods available, such as using time-based one-time password (TOTP) apps like Google Authenticator or hardware tokens. In this guide, we will show you how to set up two-factor authencation SSH login using Google Authenticator.

Prerequisites

Verify Your Remote Linux Server is Ready
If you have ordered one from Database Mart, you will receive an email containing the information of your VPS, including server IP and login credentials.
Install an Authentication App on Your Mobile Phone
Authentication apps are used to enhance the security of online accounts by providing a second factor of authentication in addition to the traditional username and password combination. They work by generating time-based one-time passwords (TOTP) that serve as the second factor of authentication in a two-factor authentication (2FA) setup. Specifically, these apps generate a new six-digit random number every 30 seconds that applies only to a specific host entry previously set up in the app. There are several authentication apps available, such as Google Authenticator and Microsoft Authenticator. They are typically available as mobile applications for Android and iOS devices, which can be downloaded and installaed from the respective app stores.

Set up Two-Factor Authentication (2FA) for Linux Servers

In the example, we will install Google Authenticator for 2FA Linux. And we use Ubuntu operating system.

1. Install Google Authenticator

First, Log in to your Linux server. In this example, we use Ubuntu 20.04. Then, install the Google Authenticator on your Linux server using the following command.

sudo apt install libpam-google-authenticator

Next, enter y to continue the installation of the package.

Install Google authenticator

2. Run Google Authenticator

After the authenticator is installed, start it by entering the following command.

google-authenticator

You will then be prompted to decide if you want authentication tokens to be time-based. Enter "y" to accept, and you will get a QR code. Now, open the authenticator app on your mobile phone and scan this QR code to add the account to the list of computers.

Launch Google Authenticator
Get a QR code and emergency codes

Below the QR code, there are emergency codes that you can use when you lose your authenticator. Please make sure to store those codes in a secure place.

After that, you are prompted to decide on the following 4 questions. For security reasons, it's recommended to comfirm those with yes.

Set up Google Authenticator

3. Configure Google Authenticator

We will need to make adjustments in two confiugration files so that the two-factor authentication ssh login can be well set up. The files are "/etc/ssh/sshd_config" and "/etc/pam.d/sshd"

Update /etc/ssh/sshd_config

Open the file by using the following command.

sudo nano /etc/ssh/sshd_config
Open the sshd configure file

Find the fields of UsePAM and ChallengeResponseAuthentication and change their values to yes as the screenshot shows. After that, press "CTRL + X" then "Y" and followed by "Enter" to save the file.

Edit the sshd configure file

Find the fields of UsePAM and ChallengeResponseAuthentication and change their values to yes as the screenshot shows. After that, press "CTRL + X" then "Y" and followed by "Enter" to save the file.

Finally, we should restart the ssh service so the changes can take effect. restart the service using the command below.

sudo systemctl restart ssh

Update /etc/pam.d/sshd

The next step is to add the Google Authenticator to the login in the "/etc/pam.d/sshd" file. Open the file using the command below.

sudo nano /etc/pam.d/sshd
Open the sshd file

Copy this "auth required pam_google_authenticator.so" and add it to the file. Lastly, press "CTRL + X" then "Y" and followed by "Enter" to save the file.

Edit the sshd file

Now you've successfully set up 2FA.

4. 2FA with Password and One-Time Code

Now, you can exit the SSH session and log in in a new session with 2FA.

You will be prompted to enter both password and a verification code.

Re-login with 2FA

Now, open the authentication app on your smartphone and get the 6-character code. With the code input, you should be logged into the session.

A code in the authentication app

Conclusion

By following these steps, you establish a strong and effective 2FA setup for your Linux server, leveraging the convenience and security provided by Google Authenticator. Remember to keep your secret key and mobile device secure, as they are vital components of the authentication process.