This article describes how to enable and disable two-factor authentication for SSH on an unmanaged server.
This article only applies to products listed in the Article Details sidebar. You must have root access to the server to follow these procedures.
Table of Contents
- About two-factor authentication
- Enabling two-factor authentication for SSH
- Step 1: Disable root logins for SSH
- Step 2: Install an authenticator app on a mobile device
- Step 3: Enable two-factor authentication on the server
- Disabling two-factor authentication for SSH
About two-factor authentication
By default, when users access your unmanaged VPSor dedicated server using SSH, they type a username and password to log in.
Two-factor authentication provides an extra layer of security because, in addition to knowing the correct username and password, users must provide another piece of information. This piece of information is a temporary, numeric password generated independently on the server and on a mobile device, such as a smartphone or tablet.
As a result, in order for a potential attacker to access your server, he or she would not only need to obtain something you know (your username and password), but also something you have (your mobile device). This two-factor approach to logins significantly enhances your server's security and makes brute-force attacks much more difficult.
Enabling two-factor authentication for SSH
To enable two-factor authentication with SSH on your server, do the following steps in the order in which they are presented.
Step 1: Disable root logins for SSH
If you haven't done so already, you should disable root SSH logins on your server and create a normal user account. For information about how to do this, please see this article.
Step 2: Install an authenticator app on a mobile device
You use an authenticator app on your smartphone or tablet to generate a one-time password that you use to log in (this is the “second factor” for authentication, in addition to your username and password).
- For Google Android and Apple iOS devices, A2 Hosting recommends the Google Authenticator app.
- For Windows Phone and other Microsoft Windows-based devices, you can use the Authenticator app or the Azure Authenticator app.
Step 3: Enable two-factor authentication on the server
To enable two-factor authentication on the server, follow these steps:
- Log in to your server using SSH.
- As the root user, install the Google Authenticator package:
- For Debian and Ubuntu, type the following command:
apt-get install libpam-google-authenticator
For AlmaLinux and Fedora, type the following command:
yum install google-authenticator
Google develops and maintains the Google Authenticator code, but it does not collect any information from your server.
- For Debian and Ubuntu, type the following command:
- Stay logged in as the root user, and then in a separate window, log in to your server as a normal (that is, non-root) user.
At the command prompt, type the following command:
google-authenticator
- At the Do you want authentication tokens to be time-based? prompt, type y and then press Enter.
The server generates a QR code image and emergency codes. On your mobile device, scan the QR code image and configure the account.
Alternatively, if your device does not support reading QR codes, you can manually enter the alphanumeric secret key.
Make sure you store the secret key and emergency codes in a safe place. You must have one of these emergency codes if you ever lose your mobile device, or if it is inaccessible for some reason. Otherwise, you will be unable to access your account.
See AlsoHow to View SSH Logs? | StrongDM- On the server, at the Do you want me to update your “/home/username/.google_authenticator” file? prompt, type y and then press Enter.
- At the Do you want to disallow multiple uses of the same authentication token? prompt, type y and then press Enter.
At the By default, tokens are good for 30 seconds… prompt, type n and then press Enter.
As the full prompt states, if you experience time synchronization problems (that is, you enter a code from your mobile device, but the server rejects it), you can increase the token validity interval from its default length of 90 seconds to around four minutes. The default value should work fine in most cases however, and is more secure.
- At the Do you want to enable rate-limiting? prompt, type y and then press Enter.
As the root user, open the /etc/pam.d/sshd file in your preferred text editor.
- Add the following line to the top of the file:
auth required pam_google_authenticator.so nullok
- Save your changes to the sshd file.
The nullok setting enables users that have not configured two-factor authentication yet to still log in using only a username and password. It is a good idea to use this setting when you configure two-factor authentication for the first time. After you configure two-factor authentication for all of your users, you can remove the nullok setting to make two-factor authentication mandatory.
- Add the following line to the top of the file:
As the root user, open the/etc/ssh/sshd_config file in your preferred text editor.
- Locate the following line:
ChallengeResponseAuthentication no
Modify the line as follows:
ChallengeResponseAuthentication yes
- Save your changes to the sshd_config file.
- Locate the following line:
As the root user, restart the SSH service:
- For Debian and Ubuntu, type the following command:
service ssh restart
For AlmaLinux and Fedora, type the following command:
service sshd restart
- For Debian and Ubuntu, type the following command:
While still logged in as the root user, in a separate window log in as the normal user and test the new configuration:
- At the Verification code prompt, type the numeric password displayed by the authenticator app on your mobile device.
- At the Password prompt, type the password for the user.
If authentication fails, verify that you followed the previous steps correctly. Do not log out as the root user until you are sure the new authentication configuration is working correctly.
Disabling two-factor authentication for SSH
If you decide that you no longer want to use two-factor authentication with SSH, you can disable it. To do this, follow these steps:
- Log in to your server using SSH.
- As the root user, open the /etc/pam.d/sshd file in your preferred text editor.
- Delete or comment out the following line at the top of the file:
auth required pam_google_authenticator.so nullok
- Save your changes to the sshd file.
- Delete or comment out the following line at the top of the file:
Open the/etc/ssh/sshd_config file in your preferred text editor.
- Locate the following line:
ChallengeResponseAuthentication yes
Modify the line as follows:
ChallengeResponseAuthentication no
- Save your changes to the sshd_config file.
- Locate the following line:
Restart the SSH service:
- For Debian and Ubuntu, type the following command:
service ssh restart
For AlmaLinux and Fedora, type the following command:
service sshd restart
Two-factor authentication is now disabled for SSH.
- For Debian and Ubuntu, type the following command:
