How to secure your SSH login with Google Two Step Authentication on Debian/Ubuntu based servers.

Most of us are in habit of SSHing to our linux machine on regular basis.So we obviously want to secure it from someone misusing it . Google provides Google Authenticator’s time-based one-time password (TOTP) system which is open source to secure your SSH session.

Warning:Unlike Google 2-Step Account Authentication Google will not phone or SMS your Authentication Code to you if you have deleted the app from your phone or have set it up without setting up Google Authenticator on your phone.All work happen on your ssh server and your phone.

Installing Google Authenticator on Server:

To implement multi stage Google Authentication we will need Google Authenticator PAM module . PAM stands for "pluggable authentication module"which helps plug different form of authentication on linux system.

Google Authenticator PAM can be installed in two ways
Method 1: Installing using official Ubuntu/Debian Repository (preferred for newbie)

• Type the below command in terminal

sudo apt-get install libpam-google-authenticator

Method 2: Installing latest commit using Git

• Clone the official Google Authenticator OpenSource repository

git clone https://github.com/google/google-authenticator.git

• Change Directory to google-authenticator/libpam/

cd google-authenticator/libpam/

• To build Google Authenticator we first need to install prerequisite software 

sudo apt-get install dh-autoreconf build-essential libpam0g-dev

• Then run following command to build libpam-google-authenticator.

./bootstrap.sh
./configure
make
sudo make install

Note:While running running "make install" you must be root.

• For making it  functional on debian/ubuntu we need create softlink in /lib/ directory.

ln -s /usr/local/lib/security/ /lib/

Note:This will only install Google Authenticator PAM module on your system.You will have to configure PAM manually to work with SSH

Run Google Authenticator:

• Login as user you want to use two-step authentication with.Open Terminal and type google-autheticator command to create a secret key for that user and follow the instruction given below

• Google Authenticator  will generate and display secret key and several emergency code , write down emergency code in case you lose your phone . Also emergency code is stored in  home directory of user under  ~/.google_authenticator

Setting up Google Authenticator on phone:

• Enter the secret key or scan QR code in Google Authenticator app on your phone (official application is available for Android, IOS and Blackberry)
  

• Windows Phone user can use Authenticator App from Windows Store , and scan QR code generated in application or enter secret key manually.

Note:If you want to remotely login as multiple user you need to run setup for each user separately

Setting up Google Authenticator on Linux:

Warning:Before continuing further  be sure that you have setup Google Authenicator app on your phone with the secret key generated for your user.

• You need to enable google authenticator for ssh by editing /etc/pam.d/sshd file on your system by running following command

sudo nano /etc/pam.d/sshd

• Then add following line at end of file 

auth required pam_google_authenticator.so nullok

• Save the file by pressing Ctrl+O and Ctrl+X
• Next,open /etc/sshd/sshd_config file by running following command

sudo nano /etc/ssh/sshd_config

• Then find the ChallengeResponseAuthentication and edit it as follow and save it

ChallengeResponseAuthentication yes

Note::If ChallengeResponseAuthentication doesn't  exist in your sshd_config file then add above line to sshd_config file

Alternate:Instead of follwing above steps you can just copy paste following steps in the terminal

sudo -s
echo -e "#Google Authenticator for SSH\nauth required pam_google_authenticator.so nullok" >> /etc/pam.d/sshd
sed -i.bak -E -e 's/(ChallengeResponseAuthentication) no/  yes/' /etc/ssh/sshd_config

• Finally restart SSH shell

sudo service ssh restart

• Then try to ssh into your system using different system , you will be presented with below screen