DEV Community

Rupesh Sharma
Rupesh Sharma

Posted on

Transform Your Linux Security: Activate MFA for SSH with Google Authenticator for Unbreakable Protection

Introduction

Enforcing MFA (Multi-Factor Authentication) on a Linux system for authenticating is important for enhancing security. This blog will guide you to set up MFA for your Linux system by providing secure SSH(Secure Shell) connection.

Image description

Prerequisites for this setup

  1. A Linux system
  2. Google-Authenticator App on smartphone.
  3. openssh ( If you don’t have openSSH, install using sudo apt install openssh-server)

Now the we know the prerequisites to enable MFA on linux, let’s dive into the steps configre it.

Step 1: Update and Install Google-Authenticator

sudo apt update -y

sudo apt install libpam-google-authenticator
Enter fullscreen mode Exit fullscreen mode

Update and install google-authenticator on linux

Step 2: Configure Google Authenticator for Users

google-authenticator

After you execute the above command, you a QR code will be generated, upon scanning it will redirect you to your Google Authenticator app to save key for the user you are logged into. Make sure you have logged in to your Google Authenticator in Phone. You will be asked to enter the code from your google authenticator.

google authenticator

You will be asked to configure the Authenticator with following Questions;
_

  1. Do you want authentication tokens to be time-based (y/n) _ If you choose “y”: OTPs will be time-based, changing every 30 seconds, ensuring higher security.

If you choose “n”: OTPs won’t be time-based, which can lower security as the token remains valid longer.

Recommended : yes
_

  1. Do you want me to update your “/home/vagrant/.google_authenticator” file? (y/n)_

If you choose “y”: The .google_authenticator file will be updated with the secret key, enabling Google Authenticator to work properly.

If you choose “n”: The .google_authenticator file won’t be updated, and the changes will not take effec

Recommended : yes
_

  1. Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n)_

If you choose “y”: OTPs can only be used once, preventing attackers from reusing the same token in multiple login attempts.

If you choose “n”: OTPs can be reused, which may increase the risk of successful brute-force attacks or replay attacks.

Recommended : yes
_

  1. By default, a new token is generated every 30 seconds by the mobile app.In order to compensate for possible time-skew between the client and the server,we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutesbetween client and server.

Do you want to do so? (y/n)_

If you choose “y”: A larger time window for OTP validation will be allowed (up to 4 minutes) to account for time differences between the client and server.

If you choose “n”: The default 30-second window for OTP validation will be used, which is more secure but requires precise time synchronization.

Recommended : no

5. If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n)

If you choose “y”: Rate-limiting will be enabled, restricting attackers to 3 login attempts every 30 seconds, slowing down brute-force attacks.

If you choose “n”: No rate-limiting will be applied, making the system more vulnerable to brute-force login attempts.

Recommended : yes

Google Authenticator configuration

In short, For security, it’s recommended to choose “y” for time-based authentication, updating the file, disallowing token reuse, and enabling rate-limiting, and “n” for 4th Question.

Step 3:Integrate Google Authenticator with PAM

Edit PAM configuration and add given line at the top of the pam config file: auth required pam_google_authenticator.so

sudo nano /etc/pam.d/sshd

Step 4: Configure SSH config file

Edit the /etc/sshd/sshd_config and add the given lines if they already exits just type “yes” to enable it.

ChallengeResponseAuthentication yes

KbdInteractiveAuthentication yes
Enter fullscreen mode Exit fullscreen mode

Editing sshd_config file

Restarting the sshd service to reload new configuration

Restarting sshd service after configuration

Step 5: Verifying the implementation of MFA on Linux server.

Now when you ssh into Linux Server you have to enter the verification code from Google-Authenticator App on your Phone. And then when you enter the correct password for the user you are logging in, you get the access to the Linux server.

Verifying the MFA implementation on Linux server

The Attack that can be prevented using MFA for SSH

  • Brute Force Attacks: Rate-limiting restricts login attempts, making it difficult for attackers to guess SSH passwords.
  • Credential Stuffing: MFA ensures that even if an attacker obtains SSH credentials, they can’t access the system without the second factor.
  • Man-in-the-Middle (MITM) Attacks: Time-based OTPs prevent attackers from intercepting and replaying SSH authentication tokens.
  • Replay Attacks: Disallowing token reuse ensures that intercepted SSH tokens can’t be reused for subsequent logins.
  • Password Guessing: MFA adds an additional layer of security, making it harder for attackers to access the system through SSH.
  • Phishing Attacks: Even if SSH login credentials are phished, the attacker still requires the OTP to successfully authenticate.

Conclusion

Securing SSH access is crucial for protecting your Linux systems from cyberattacks. By enabling MFA with Google Authenticator, you add an extra layer of security that safeguards against brute force, phishing, and other unauthorized access attempts. With this easy-to-follow guide, you can significantly enhance your system’s protection and stay ahead of potential threats. Prioritize your Linux security today and make your SSH connections safer than ever!

Concerned about the future of the software development career?

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Okay let's go

Community matters

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay