· Linux security

Secure SSH access with 2-step authentication (extended)

In this quick tutorial I’ll show you how to secure SSH access to your Linux server with 2-step authentication. Why did I call this post ‘extended’? Because I’ll show you how to add extra rules so you don’t have to use 2-step authentication from certain locations.

I’m not going to explain what 2-step authentication is. You’ll need SSH or CLI access to your Linux device with root rights and a 2-step authentication app on your phone, tablet or PC:

The PAM-module that we need is called libpam-google-authenticator so on Debian/Ubuntu/… you can use the following command to install this:

sudo apt-get update && sudo apt-get install -y libpam-google-authenticator

Next, run

google-authenticator

to set this up for your account. Do not use sudo or something like that, use your own account!

Now open the file /etc/pam.d/sshd, you can do this with

sudo nano /etc/pam.d/sshd

and add the following at the end of the file:

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so

Now create the file /etc/security/access-local.conf:

sudo nano /etc/security/access-local.conf

and add the following:

+ : ALL : ????
+ : ALL : LOCAL
- : ALL : ALL

Replace the ???? with the subnet or the IP that should be allowed to access SSH without the second verification step. You could enter an IP like 192.168.0.5 or a subnet like 192.168.0.0/24.

Now edit the file _/etc/ssh/sshdconfig:

sudo nano /etc/ssh/sshd_config

and make sure it says

ChallengeResponseAuthentication yes

By default it says no.

Now restart the SSH service and you should be good!

sudo service ssh restart

NTP

Ahtanu has let me know via Twitter that you’d better make sure your device is properly configured as an NTP client. Most desktop Linux distributions have this already in order but here are the instructions for Debian-based distributions to make sure NTP is configured properly.

First, update or install the NTP client.

sudo apt-get update && sudo apt-get install -y ntp ntp-simple ntpdate

Next, set the timezone and the date on your device:

sudo tzselect
sudo date --set 2014-12-31
sudo date --set 20:20:20

Now edit the file ntp.conf:

sudo nano /etc/ntp.conf

and make sure it has 2 NTP-servers:

server 0.be.pool.ntp.org
server 1.be.pool.ntp.org
server 2.be.pool.ntp.org
server 3.be.pool.ntp.org

Eventually restart the NTP service:

sudo service ntpd restart
  • LinkedIn
  • Tumblr
  • Reddit
  • Google+
  • Pocket
About the author

Samuel Debruyn is a C# developer who builds mobile (cross platform) apps with Xamarin. Sam is a certified Xamarin mobile developer since 2016. He likes to experiment with all kinds of programming languages and software frameworks. More info