Penguin Fortress YouTube Channel

Multi-factor / Two-Factor Authentication for Linux using Google Authenticator MFA / 2FA

MFA Multi-Factor Authentication otherwise known as 2FA or Two-Factor Authentication is an good way to add additional security to protect against hackers or crackers.

This video explains about what it is and introduces the free 2FA / MFA Google App, Google Authenticator. It explains how this can be installed on a Raspberry Pi, or other Linux system, particularly Ubuntu or Debian based systems.

Transcript: Multi-factor / Two-Factor Authentication for Linux using Google Authenticator MFA / 2FA - Video Transcript

Google Authenticator is a mobile phone app available for Android through the Google Play store and Apple iPhone through the Apple App Store. It then needs the google-authenticator to be installed onto the Linux computer and for that to be registered as a PAM security module.

Once setup then you can ssh to the computer as normal, but after the usual authentication (typically username & password, but could be key based) then you will need to add the code from the Google Authenticator app.

This provides a significant improvement to the IT Security / Cybersecurity of that particular system.

2FA MFA Google Authenticator SSH on a Raspberry Pi Linux Computer

How to install Google Authenticator on Linux SSH

These instructions are for a Debian / Ubuntu based system including the Raspberry Pi.

First install Google Authenticator App on your mobile phone from your usual app store.

Install the PAM module:
sudo apt install libpam-google-authenticator

Run
google-authenticator

You should be able to scan the QR code with Google Authenticator on your phone, otherwise enter it manually using the secret key which is under the QR 3D barcode.

There are some questions, these can make a small difference to your level of security, vs convenience of use. The one I suggest enabling is rate limiting. The others are down to personal preference.

Update /etc/pam.d/sshd
At the bottom of the file add the line:
auth required pam_google_authenticator.so nullok

The nullok option on the end depends upon whether you want to force google authentication for all ssh logins. If you don't include that then if a user is not setup for google authenticator then they won't be able to login.

Edit the file /etc/ssh/sshd_config
Change the ChallengeResponseAuthentication entry to say:
ChallengeResponseAuthentication yes

Restart sshd and then when you next login after entering the password you will be prompted for the code from the Google Authenticator app.

More information

Please subscribe to Penguin Fortress on YouTube for future videos.

For more details about how username and password security work on Linux systems see the following guides:

Previous Stupid Password Rules
Stupid Password Rules
Next Kerberos
Kerberos