Ubuntu 18 Server with 2FA for SSHSSH graphical session without graphical environment installed on serverHow...
Quenching swords in dragon blood; why?
Does fast page mode apply to ROM?
How should I handle players who ignore the session zero agreement?
What is the purpose of easy combat scenarios that don't need resource expenditure?
What is this metal M-shaped device for?
Can a dragon be stuck looking like a human?
Does Windows 10's telemetry include sending *.doc files if Word crashed?
How would a Dictatorship make a country more successful?
Why does a metal block make a shrill sound but not a wooden block upon hammering?
Where are a monster’s hit dice found in the stat block?
Can we use the stored gravitational potential energy of a building to produce power?
What to do when being responsible for data protection in your lab, yet advice is ignored?
Placing an adverb between a verb and an object?
insert EOF statement before the last line of file
A minimum of two personnel "are" or "is"?
Why did this image turn out darker?
How to avoid Replace substituting subscripts?
Difference between two quite-similar Terminal commands
What does Cypher mean when he says Neo is "gonna pop"?
Why do neural networks need so many training examples to perform?
How to deal with an incendiary email that was recalled
Using only 1s, make 29 with the minimum number of digits
What's a good word to describe a public place that looks like it wouldn't be rough?
Groups acting on trees
Ubuntu 18 Server with 2FA for SSH
SSH graphical session without graphical environment installed on serverHow to setup login your SSH server with Public/Private key authentification?Installed Xubuntu desktop on Ubuntu 12.04 server and now can't connect via SSHRun GParted over SSHHow can I redirect SSH users to another SSH login?google authenticator for certain usersTwo factor authentication on ssh server with Google's AuthenticationDisable PAM module for groupServer started in 'Rescue' modeCan't access server, 2FA rejecting verification codes and back-up codes don't work
I want to set up 2FA on SSH on my Ubuntu 18.04 LTS Server. I don't want to use Google Authenticator but Open Source solution.
Are there any guides for just using something free and other than Google Authenticator?
Thank you in advance.
Regards,
ssh
add a comment |
I want to set up 2FA on SSH on my Ubuntu 18.04 LTS Server. I don't want to use Google Authenticator but Open Source solution.
Are there any guides for just using something free and other than Google Authenticator?
Thank you in advance.
Regards,
ssh
add a comment |
I want to set up 2FA on SSH on my Ubuntu 18.04 LTS Server. I don't want to use Google Authenticator but Open Source solution.
Are there any guides for just using something free and other than Google Authenticator?
Thank you in advance.
Regards,
ssh
I want to set up 2FA on SSH on my Ubuntu 18.04 LTS Server. I don't want to use Google Authenticator but Open Source solution.
Are there any guides for just using something free and other than Google Authenticator?
Thank you in advance.
Regards,
ssh
ssh
asked Jan 11 at 23:37
smunirsmunir
11
11
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Those guides should work with other 2FA applications (such as FreeOTP) as well.
Google Authenticator uses TOTP, and most 2FA applications such as the open-source FreeOTP use the same standard and you can use them in place of Google Authenticator.
For completeness, here is a (modified) guide from DigitalOcean to set up FreeOTP. Note that SSH public key logins will not ask for a 2FA token, if you want to use public key authentication with 2FA, see DigitalOcean's guide (and disable password-based authentication).
Update Ubuntu's repositories and install
libpam-google-authenticator
(this works with other 2FA applications as well).
sudo apt update && sudo apt install libpam-google-authenticator
Set up a TOTP key for your user:
google-authenticator
Answer yes to the
Do you want authentication tokens to be time-based
andDo you want me to update your "~/.google_authenticator" file
questions.
Scan the (big) QR code (most GUI terminal emulators let you use Ctrl + - to zoom out and Ctrl + 0 to reset zoom) with FreeOTP or the 2FA application of your choice.
Write down the backup codes somewhere and store them securely.
Configure
openssh-server
to allow 2FA logins. You can removenullok
if you do not want to allow users without 2FA set up to log in.
[ -e /etc/pam.d/sshd ] || echo '@include common-auth' | sudo tee /etc/pam.d/sshd
echo auth 'required pam_google_authenticator.so nullok' | sudo tee -a /etc/pam.d/sshd
sudo nano /etc/ssh/sshd_config
Find the
ChallengeResponseAuthentication
line and change it toChallengeResponseAuthentication yes
, then press Ctrl + O then Enter to save the file and Ctrl + X to closenano
.
Restart
sshd
to apply the changes.
sudo systemctl restart sshd
Open another terminal (so you still have access if it didn't work) and try to log in.
OathAuth and freeOTP didn't work.
– smunir
Jan 23 at 0:31
What didn't work / what error did you get?
– luk3yx
Jan 23 at 0:39
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1109013%2fubuntu-18-server-with-2fa-for-ssh%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Those guides should work with other 2FA applications (such as FreeOTP) as well.
Google Authenticator uses TOTP, and most 2FA applications such as the open-source FreeOTP use the same standard and you can use them in place of Google Authenticator.
For completeness, here is a (modified) guide from DigitalOcean to set up FreeOTP. Note that SSH public key logins will not ask for a 2FA token, if you want to use public key authentication with 2FA, see DigitalOcean's guide (and disable password-based authentication).
Update Ubuntu's repositories and install
libpam-google-authenticator
(this works with other 2FA applications as well).
sudo apt update && sudo apt install libpam-google-authenticator
Set up a TOTP key for your user:
google-authenticator
Answer yes to the
Do you want authentication tokens to be time-based
andDo you want me to update your "~/.google_authenticator" file
questions.
Scan the (big) QR code (most GUI terminal emulators let you use Ctrl + - to zoom out and Ctrl + 0 to reset zoom) with FreeOTP or the 2FA application of your choice.
Write down the backup codes somewhere and store them securely.
Configure
openssh-server
to allow 2FA logins. You can removenullok
if you do not want to allow users without 2FA set up to log in.
[ -e /etc/pam.d/sshd ] || echo '@include common-auth' | sudo tee /etc/pam.d/sshd
echo auth 'required pam_google_authenticator.so nullok' | sudo tee -a /etc/pam.d/sshd
sudo nano /etc/ssh/sshd_config
Find the
ChallengeResponseAuthentication
line and change it toChallengeResponseAuthentication yes
, then press Ctrl + O then Enter to save the file and Ctrl + X to closenano
.
Restart
sshd
to apply the changes.
sudo systemctl restart sshd
Open another terminal (so you still have access if it didn't work) and try to log in.
OathAuth and freeOTP didn't work.
– smunir
Jan 23 at 0:31
What didn't work / what error did you get?
– luk3yx
Jan 23 at 0:39
add a comment |
Those guides should work with other 2FA applications (such as FreeOTP) as well.
Google Authenticator uses TOTP, and most 2FA applications such as the open-source FreeOTP use the same standard and you can use them in place of Google Authenticator.
For completeness, here is a (modified) guide from DigitalOcean to set up FreeOTP. Note that SSH public key logins will not ask for a 2FA token, if you want to use public key authentication with 2FA, see DigitalOcean's guide (and disable password-based authentication).
Update Ubuntu's repositories and install
libpam-google-authenticator
(this works with other 2FA applications as well).
sudo apt update && sudo apt install libpam-google-authenticator
Set up a TOTP key for your user:
google-authenticator
Answer yes to the
Do you want authentication tokens to be time-based
andDo you want me to update your "~/.google_authenticator" file
questions.
Scan the (big) QR code (most GUI terminal emulators let you use Ctrl + - to zoom out and Ctrl + 0 to reset zoom) with FreeOTP or the 2FA application of your choice.
Write down the backup codes somewhere and store them securely.
Configure
openssh-server
to allow 2FA logins. You can removenullok
if you do not want to allow users without 2FA set up to log in.
[ -e /etc/pam.d/sshd ] || echo '@include common-auth' | sudo tee /etc/pam.d/sshd
echo auth 'required pam_google_authenticator.so nullok' | sudo tee -a /etc/pam.d/sshd
sudo nano /etc/ssh/sshd_config
Find the
ChallengeResponseAuthentication
line and change it toChallengeResponseAuthentication yes
, then press Ctrl + O then Enter to save the file and Ctrl + X to closenano
.
Restart
sshd
to apply the changes.
sudo systemctl restart sshd
Open another terminal (so you still have access if it didn't work) and try to log in.
OathAuth and freeOTP didn't work.
– smunir
Jan 23 at 0:31
What didn't work / what error did you get?
– luk3yx
Jan 23 at 0:39
add a comment |
Those guides should work with other 2FA applications (such as FreeOTP) as well.
Google Authenticator uses TOTP, and most 2FA applications such as the open-source FreeOTP use the same standard and you can use them in place of Google Authenticator.
For completeness, here is a (modified) guide from DigitalOcean to set up FreeOTP. Note that SSH public key logins will not ask for a 2FA token, if you want to use public key authentication with 2FA, see DigitalOcean's guide (and disable password-based authentication).
Update Ubuntu's repositories and install
libpam-google-authenticator
(this works with other 2FA applications as well).
sudo apt update && sudo apt install libpam-google-authenticator
Set up a TOTP key for your user:
google-authenticator
Answer yes to the
Do you want authentication tokens to be time-based
andDo you want me to update your "~/.google_authenticator" file
questions.
Scan the (big) QR code (most GUI terminal emulators let you use Ctrl + - to zoom out and Ctrl + 0 to reset zoom) with FreeOTP or the 2FA application of your choice.
Write down the backup codes somewhere and store them securely.
Configure
openssh-server
to allow 2FA logins. You can removenullok
if you do not want to allow users without 2FA set up to log in.
[ -e /etc/pam.d/sshd ] || echo '@include common-auth' | sudo tee /etc/pam.d/sshd
echo auth 'required pam_google_authenticator.so nullok' | sudo tee -a /etc/pam.d/sshd
sudo nano /etc/ssh/sshd_config
Find the
ChallengeResponseAuthentication
line and change it toChallengeResponseAuthentication yes
, then press Ctrl + O then Enter to save the file and Ctrl + X to closenano
.
Restart
sshd
to apply the changes.
sudo systemctl restart sshd
Open another terminal (so you still have access if it didn't work) and try to log in.
Those guides should work with other 2FA applications (such as FreeOTP) as well.
Google Authenticator uses TOTP, and most 2FA applications such as the open-source FreeOTP use the same standard and you can use them in place of Google Authenticator.
For completeness, here is a (modified) guide from DigitalOcean to set up FreeOTP. Note that SSH public key logins will not ask for a 2FA token, if you want to use public key authentication with 2FA, see DigitalOcean's guide (and disable password-based authentication).
Update Ubuntu's repositories and install
libpam-google-authenticator
(this works with other 2FA applications as well).
sudo apt update && sudo apt install libpam-google-authenticator
Set up a TOTP key for your user:
google-authenticator
Answer yes to the
Do you want authentication tokens to be time-based
andDo you want me to update your "~/.google_authenticator" file
questions.
Scan the (big) QR code (most GUI terminal emulators let you use Ctrl + - to zoom out and Ctrl + 0 to reset zoom) with FreeOTP or the 2FA application of your choice.
Write down the backup codes somewhere and store them securely.
Configure
openssh-server
to allow 2FA logins. You can removenullok
if you do not want to allow users without 2FA set up to log in.
[ -e /etc/pam.d/sshd ] || echo '@include common-auth' | sudo tee /etc/pam.d/sshd
echo auth 'required pam_google_authenticator.so nullok' | sudo tee -a /etc/pam.d/sshd
sudo nano /etc/ssh/sshd_config
Find the
ChallengeResponseAuthentication
line and change it toChallengeResponseAuthentication yes
, then press Ctrl + O then Enter to save the file and Ctrl + X to closenano
.
Restart
sshd
to apply the changes.
sudo systemctl restart sshd
Open another terminal (so you still have access if it didn't work) and try to log in.
edited 14 mins ago
answered Jan 12 at 0:52
luk3yxluk3yx
331215
331215
OathAuth and freeOTP didn't work.
– smunir
Jan 23 at 0:31
What didn't work / what error did you get?
– luk3yx
Jan 23 at 0:39
add a comment |
OathAuth and freeOTP didn't work.
– smunir
Jan 23 at 0:31
What didn't work / what error did you get?
– luk3yx
Jan 23 at 0:39
OathAuth and freeOTP didn't work.
– smunir
Jan 23 at 0:31
OathAuth and freeOTP didn't work.
– smunir
Jan 23 at 0:31
What didn't work / what error did you get?
– luk3yx
Jan 23 at 0:39
What didn't work / what error did you get?
– luk3yx
Jan 23 at 0:39
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1109013%2fubuntu-18-server-with-2fa-for-ssh%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown