Ubuntu 18 Server with 2FA for SSHSSH graphical session without graphical environment installed on serverHow...

Quenching swords in dragon blood; why?

Does fast page mode apply to ROM?

How should I handle players who ignore the session zero agreement?

What is the purpose of easy combat scenarios that don't need resource expenditure?

What is this metal M-shaped device for?

Can a dragon be stuck looking like a human?

Does Windows 10's telemetry include sending *.doc files if Word crashed?

How would a Dictatorship make a country more successful?

Why does a metal block make a shrill sound but not a wooden block upon hammering?

Where are a monster’s hit dice found in the stat block?

Can we use the stored gravitational potential energy of a building to produce power?

What to do when being responsible for data protection in your lab, yet advice is ignored?

Placing an adverb between a verb and an object?

insert EOF statement before the last line of file

A minimum of two personnel "are" or "is"?

Why did this image turn out darker?

How to avoid Replace substituting subscripts?

Difference between two quite-similar Terminal commands

What does Cypher mean when he says Neo is "gonna pop"?

Why do neural networks need so many training examples to perform?

How to deal with an incendiary email that was recalled

Using only 1s, make 29 with the minimum number of digits

What's a good word to describe a public place that looks like it wouldn't be rough?

Groups acting on trees



Ubuntu 18 Server with 2FA for SSH


SSH graphical session without graphical environment installed on serverHow to setup login your SSH server with Public/Private key authentification?Installed Xubuntu desktop on Ubuntu 12.04 server and now can't connect via SSHRun GParted over SSHHow can I redirect SSH users to another SSH login?google authenticator for certain usersTwo factor authentication on ssh server with Google's AuthenticationDisable PAM module for groupServer started in 'Rescue' modeCan't access server, 2FA rejecting verification codes and back-up codes don't work













0















I want to set up 2FA on SSH on my Ubuntu 18.04 LTS Server. I don't want to use Google Authenticator but Open Source solution.



Are there any guides for just using something free and other than Google Authenticator?



Thank you in advance.



Regards,










share|improve this question



























    0















    I want to set up 2FA on SSH on my Ubuntu 18.04 LTS Server. I don't want to use Google Authenticator but Open Source solution.



    Are there any guides for just using something free and other than Google Authenticator?



    Thank you in advance.



    Regards,










    share|improve this question

























      0












      0








      0


      1






      I want to set up 2FA on SSH on my Ubuntu 18.04 LTS Server. I don't want to use Google Authenticator but Open Source solution.



      Are there any guides for just using something free and other than Google Authenticator?



      Thank you in advance.



      Regards,










      share|improve this question














      I want to set up 2FA on SSH on my Ubuntu 18.04 LTS Server. I don't want to use Google Authenticator but Open Source solution.



      Are there any guides for just using something free and other than Google Authenticator?



      Thank you in advance.



      Regards,







      ssh






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 11 at 23:37









      smunirsmunir

      11




      11






















          1 Answer
          1






          active

          oldest

          votes


















          1














          Those guides should work with other 2FA applications (such as FreeOTP) as well.



          Google Authenticator uses TOTP, and most 2FA applications such as the open-source FreeOTP use the same standard and you can use them in place of Google Authenticator.



          For completeness, here is a (modified) guide from DigitalOcean to set up FreeOTP. Note that SSH public key logins will not ask for a 2FA token, if you want to use public key authentication with 2FA, see DigitalOcean's guide (and disable password-based authentication).





          • Update Ubuntu's repositories and install libpam-google-authenticator (this works with other 2FA applications as well).



            sudo apt update && sudo apt install libpam-google-authenticator



          • Set up a TOTP key for your user:



            google-authenticator


            Answer yes to the Do you want authentication tokens to be time-based and Do you want me to update your "~/.google_authenticator" file questions.



          • Scan the (big) QR code (most GUI terminal emulators let you use Ctrl + - to zoom out and Ctrl + 0 to reset zoom) with FreeOTP or the 2FA application of your choice.


          • Write down the backup codes somewhere and store them securely.



          • Configure openssh-server to allow 2FA logins. You can remove nullok if you do not want to allow users without 2FA set up to log in.



            [ -e /etc/pam.d/sshd ] || echo '@include common-auth' | sudo tee /etc/pam.d/sshd
            echo auth 'required pam_google_authenticator.so nullok' | sudo tee -a /etc/pam.d/sshd
            sudo nano /etc/ssh/sshd_config


          • Find the ChallengeResponseAuthentication line and change it to ChallengeResponseAuthentication yes, then press Ctrl + O then Enter to save the file and Ctrl + X to close nano.



          • Restart sshd to apply the changes.



            sudo systemctl restart sshd


          • Open another terminal (so you still have access if it didn't work) and try to log in.







          share|improve this answer


























          • OathAuth and freeOTP didn't work.

            – smunir
            Jan 23 at 0:31











          • What didn't work / what error did you get?

            – luk3yx
            Jan 23 at 0:39











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "89"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1109013%2fubuntu-18-server-with-2fa-for-ssh%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          Those guides should work with other 2FA applications (such as FreeOTP) as well.



          Google Authenticator uses TOTP, and most 2FA applications such as the open-source FreeOTP use the same standard and you can use them in place of Google Authenticator.



          For completeness, here is a (modified) guide from DigitalOcean to set up FreeOTP. Note that SSH public key logins will not ask for a 2FA token, if you want to use public key authentication with 2FA, see DigitalOcean's guide (and disable password-based authentication).





          • Update Ubuntu's repositories and install libpam-google-authenticator (this works with other 2FA applications as well).



            sudo apt update && sudo apt install libpam-google-authenticator



          • Set up a TOTP key for your user:



            google-authenticator


            Answer yes to the Do you want authentication tokens to be time-based and Do you want me to update your "~/.google_authenticator" file questions.



          • Scan the (big) QR code (most GUI terminal emulators let you use Ctrl + - to zoom out and Ctrl + 0 to reset zoom) with FreeOTP or the 2FA application of your choice.


          • Write down the backup codes somewhere and store them securely.



          • Configure openssh-server to allow 2FA logins. You can remove nullok if you do not want to allow users without 2FA set up to log in.



            [ -e /etc/pam.d/sshd ] || echo '@include common-auth' | sudo tee /etc/pam.d/sshd
            echo auth 'required pam_google_authenticator.so nullok' | sudo tee -a /etc/pam.d/sshd
            sudo nano /etc/ssh/sshd_config


          • Find the ChallengeResponseAuthentication line and change it to ChallengeResponseAuthentication yes, then press Ctrl + O then Enter to save the file and Ctrl + X to close nano.



          • Restart sshd to apply the changes.



            sudo systemctl restart sshd


          • Open another terminal (so you still have access if it didn't work) and try to log in.







          share|improve this answer


























          • OathAuth and freeOTP didn't work.

            – smunir
            Jan 23 at 0:31











          • What didn't work / what error did you get?

            – luk3yx
            Jan 23 at 0:39
















          1














          Those guides should work with other 2FA applications (such as FreeOTP) as well.



          Google Authenticator uses TOTP, and most 2FA applications such as the open-source FreeOTP use the same standard and you can use them in place of Google Authenticator.



          For completeness, here is a (modified) guide from DigitalOcean to set up FreeOTP. Note that SSH public key logins will not ask for a 2FA token, if you want to use public key authentication with 2FA, see DigitalOcean's guide (and disable password-based authentication).





          • Update Ubuntu's repositories and install libpam-google-authenticator (this works with other 2FA applications as well).



            sudo apt update && sudo apt install libpam-google-authenticator



          • Set up a TOTP key for your user:



            google-authenticator


            Answer yes to the Do you want authentication tokens to be time-based and Do you want me to update your "~/.google_authenticator" file questions.



          • Scan the (big) QR code (most GUI terminal emulators let you use Ctrl + - to zoom out and Ctrl + 0 to reset zoom) with FreeOTP or the 2FA application of your choice.


          • Write down the backup codes somewhere and store them securely.



          • Configure openssh-server to allow 2FA logins. You can remove nullok if you do not want to allow users without 2FA set up to log in.



            [ -e /etc/pam.d/sshd ] || echo '@include common-auth' | sudo tee /etc/pam.d/sshd
            echo auth 'required pam_google_authenticator.so nullok' | sudo tee -a /etc/pam.d/sshd
            sudo nano /etc/ssh/sshd_config


          • Find the ChallengeResponseAuthentication line and change it to ChallengeResponseAuthentication yes, then press Ctrl + O then Enter to save the file and Ctrl + X to close nano.



          • Restart sshd to apply the changes.



            sudo systemctl restart sshd


          • Open another terminal (so you still have access if it didn't work) and try to log in.







          share|improve this answer


























          • OathAuth and freeOTP didn't work.

            – smunir
            Jan 23 at 0:31











          • What didn't work / what error did you get?

            – luk3yx
            Jan 23 at 0:39














          1












          1








          1







          Those guides should work with other 2FA applications (such as FreeOTP) as well.



          Google Authenticator uses TOTP, and most 2FA applications such as the open-source FreeOTP use the same standard and you can use them in place of Google Authenticator.



          For completeness, here is a (modified) guide from DigitalOcean to set up FreeOTP. Note that SSH public key logins will not ask for a 2FA token, if you want to use public key authentication with 2FA, see DigitalOcean's guide (and disable password-based authentication).





          • Update Ubuntu's repositories and install libpam-google-authenticator (this works with other 2FA applications as well).



            sudo apt update && sudo apt install libpam-google-authenticator



          • Set up a TOTP key for your user:



            google-authenticator


            Answer yes to the Do you want authentication tokens to be time-based and Do you want me to update your "~/.google_authenticator" file questions.



          • Scan the (big) QR code (most GUI terminal emulators let you use Ctrl + - to zoom out and Ctrl + 0 to reset zoom) with FreeOTP or the 2FA application of your choice.


          • Write down the backup codes somewhere and store them securely.



          • Configure openssh-server to allow 2FA logins. You can remove nullok if you do not want to allow users without 2FA set up to log in.



            [ -e /etc/pam.d/sshd ] || echo '@include common-auth' | sudo tee /etc/pam.d/sshd
            echo auth 'required pam_google_authenticator.so nullok' | sudo tee -a /etc/pam.d/sshd
            sudo nano /etc/ssh/sshd_config


          • Find the ChallengeResponseAuthentication line and change it to ChallengeResponseAuthentication yes, then press Ctrl + O then Enter to save the file and Ctrl + X to close nano.



          • Restart sshd to apply the changes.



            sudo systemctl restart sshd


          • Open another terminal (so you still have access if it didn't work) and try to log in.







          share|improve this answer















          Those guides should work with other 2FA applications (such as FreeOTP) as well.



          Google Authenticator uses TOTP, and most 2FA applications such as the open-source FreeOTP use the same standard and you can use them in place of Google Authenticator.



          For completeness, here is a (modified) guide from DigitalOcean to set up FreeOTP. Note that SSH public key logins will not ask for a 2FA token, if you want to use public key authentication with 2FA, see DigitalOcean's guide (and disable password-based authentication).





          • Update Ubuntu's repositories and install libpam-google-authenticator (this works with other 2FA applications as well).



            sudo apt update && sudo apt install libpam-google-authenticator



          • Set up a TOTP key for your user:



            google-authenticator


            Answer yes to the Do you want authentication tokens to be time-based and Do you want me to update your "~/.google_authenticator" file questions.



          • Scan the (big) QR code (most GUI terminal emulators let you use Ctrl + - to zoom out and Ctrl + 0 to reset zoom) with FreeOTP or the 2FA application of your choice.


          • Write down the backup codes somewhere and store them securely.



          • Configure openssh-server to allow 2FA logins. You can remove nullok if you do not want to allow users without 2FA set up to log in.



            [ -e /etc/pam.d/sshd ] || echo '@include common-auth' | sudo tee /etc/pam.d/sshd
            echo auth 'required pam_google_authenticator.so nullok' | sudo tee -a /etc/pam.d/sshd
            sudo nano /etc/ssh/sshd_config


          • Find the ChallengeResponseAuthentication line and change it to ChallengeResponseAuthentication yes, then press Ctrl + O then Enter to save the file and Ctrl + X to close nano.



          • Restart sshd to apply the changes.



            sudo systemctl restart sshd


          • Open another terminal (so you still have access if it didn't work) and try to log in.








          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 14 mins ago

























          answered Jan 12 at 0:52









          luk3yxluk3yx

          331215




          331215













          • OathAuth and freeOTP didn't work.

            – smunir
            Jan 23 at 0:31











          • What didn't work / what error did you get?

            – luk3yx
            Jan 23 at 0:39



















          • OathAuth and freeOTP didn't work.

            – smunir
            Jan 23 at 0:31











          • What didn't work / what error did you get?

            – luk3yx
            Jan 23 at 0:39

















          OathAuth and freeOTP didn't work.

          – smunir
          Jan 23 at 0:31





          OathAuth and freeOTP didn't work.

          – smunir
          Jan 23 at 0:31













          What didn't work / what error did you get?

          – luk3yx
          Jan 23 at 0:39





          What didn't work / what error did you get?

          – luk3yx
          Jan 23 at 0:39


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Ask Ubuntu!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1109013%2fubuntu-18-server-with-2fa-for-ssh%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Why do type traits not work with types in namespace scope?What are POD types in C++?Why can templates only be...

          Will tsunami waves travel forever if there was no land?Why do tsunami waves begin with the water flowing away...

          Simple Scan not detecting my scanner (Brother DCP-7055W)Brother MFC-L2700DW printer can print, can't...