Introduction

OATH-TOTP (Open Authentication Time-Based One-Time Password) is an open protocol that generates a one-time use password, commonly a 6 digit number that is recycled every 30 seconds.

Google Authenticator is a software token that implements two-step verification services using the Time-based One-time Password Algorithm (TOTP) and HMAC-based One-time Password Algorithm (HOTP), for authenticating users of mobile applications by Google. The service implements algorithms specified in RFC 6238 and RFC 4226.

Authenticator provides a six- to eight-digit one-time password which users must provide in addition to their username and password to log into Google services or other sites. The Authenticator can also generate codes for third-party applications, such as password managers or file hosting services. Previous versions of the software were open-sourced but subsequent releases are proprietary.

Prerequisites

Completion of my first tutorial and a smartphone or tablet with an OATH-TOTP app installed, like Google Authenticator (iOS, Android) is enough.

Contents

This tutorial includes these parts:

  1. Installing Google's PAM
  2. Configuring OpenSSH
  3. Making SSH Aware of MFA
  4. Adding a Third Factor (Optional)

1. Installing Google's PAM

In this step, we'll install and configure Google's PAM.

PAM, which stands for Pluggable Authentication Module, is an authentication infrastructure used on Linux systems to authenticate a user. Because Google made an OATH-TOTP app, they also made a PAM that generates TOTPs and is fully compatible with any OATH-TOTP app, like Google Authenticator or Authy.

First, update Ubuntu's repository cache.


sudo apt-get update

Next, install the PAM.


sudo apt-get install libpam-google-authenticator

Then download the app (i.e., Google Autheticator) on your mobile device (ios or android) and run the following command.


google-authenticator

You should see a QR-code while completing the initialization process. In your app add the code tapping on the cross sign, scanning the code. Now you must see new record in the app with token which circles every 30 seconds.

2. Configuring OpenSSH

To enable authorization with TOTP (Time-Based One-Time Password) sshd service must be configured accordingly. Edit the configuration file with the following command.


sudo vim /etc/pam.d/sshd

Add the following line to the bottom of the file.

. . .
# Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so nullok

The nullok word at the end of the last line tells the PAM that this authentication method is optional. This allows users without a OATH-TOTP token to still log in using their SSH key. Once all users have an OATH-TOTP token, you can remove nullok from this line to make MFA mandatory.

Save and close the file.

Next, we'll configure SSH to support this kind of authentication. Open the SSH configuration file for editing.


sudo vim /etc/ssh/sshd_config

Look for ChallengeResponseAuthentication and set its value to yes.

. . .
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes
. . .

Restart sshd service


sudo systemctl restart sshd.service

3. Making SSH Aware of MFA

Reopen the sshd configuration file.


sudo vim /etc/ssh/sshd_config

Add the following line at the bottom of the file. This tells SSH which authentication methods are required. This line tells SSH we need a SSH key and either a password or a verification code (or all three).

. . .
UsePAM yes
AuthenticationMethods publickey,password publickey,keyboard-interactive

Save and close the file, then restart SSH.


sudo systemctl restart sshd.service

4. Adding a Third Factor (Optional)

In Step 3, we listed the approved types of authentication in the sshd_config file:

  1. publickey (SSH key)
  2. password publickey (password)
  3. keyboard-interactive (verification code)

Although we listed three different factors, with the options we've chosen so far, they only allow for an SSH key and the verification code. If you'd like to have all three factors (SSH key, password, and verification code), one quick change will enable all three.

Open the PAM sshd configuration file.


sudo vim /etc/pam.d/sshd

Locate the line you commented out previously, #@include common-auth, and uncomment the line by removing the # character. Save and close the file. Now once again, restart SSH.


sudo systemctl restart sshd.service

By enabling the option @include common-auth, PAM will now prompt for a password in addition the checking for an SSH key and asking for a verification code, which we had working previously. Now we can use something we know (password) and two different types of things we have (SSH key and verification code) over two different channels.

Sources:

  1. How To Set Up Multi-Factor Authentication for SSH on Ubuntu 16.04