Ubuntu 18 Server with 2FA for SSHSSH graphical session without graphical environment installed on serverHow...

Quenching swords in dragon blood; why?

Does fast page mode apply to ROM?

How should I handle players who ignore the session zero agreement?

What is the purpose of easy combat scenarios that don't need resource expenditure?

What is this metal M-shaped device for?

Can a dragon be stuck looking like a human?

Does Windows 10's telemetry include sending *.doc files if Word crashed?

How would a Dictatorship make a country more successful?

Why does a metal block make a shrill sound but not a wooden block upon hammering?

Where are a monster’s hit dice found in the stat block?

Can we use the stored gravitational potential energy of a building to produce power?

What to do when being responsible for data protection in your lab, yet advice is ignored?

Placing an adverb between a verb and an object?

insert EOF statement before the last line of file

A minimum of two personnel "are" or "is"?

Why did this image turn out darker?

How to avoid Replace substituting subscripts?

Difference between two quite-similar Terminal commands

What does Cypher mean when he says Neo is "gonna pop"?

Why do neural networks need so many training examples to perform?

How to deal with an incendiary email that was recalled

Using only 1s, make 29 with the minimum number of digits

What's a good word to describe a public place that looks like it wouldn't be rough?

Groups acting on trees



Ubuntu 18 Server with 2FA for SSH


SSH graphical session without graphical environment installed on serverHow to setup login your SSH server with Public/Private key authentification?Installed Xubuntu desktop on Ubuntu 12.04 server and now can't connect via SSHRun GParted over SSHHow can I redirect SSH users to another SSH login?google authenticator for certain usersTwo factor authentication on ssh server with Google's AuthenticationDisable PAM module for groupServer started in 'Rescue' modeCan't access server, 2FA rejecting verification codes and back-up codes don't work













0















I want to set up 2FA on SSH on my Ubuntu 18.04 LTS Server. I don't want to use Google Authenticator but Open Source solution.



Are there any guides for just using something free and other than Google Authenticator?



Thank you in advance.



Regards,






ssh







share|improve this question



























    0















    I want to set up 2FA on SSH on my Ubuntu 18.04 LTS Server. I don't want to use Google Authenticator but Open Source solution.



    Are there any guides for just using something free and other than Google Authenticator?



    Thank you in advance.



    Regards,






    ssh







    share|improve this question

























      0












      0








      0


      1






      I want to set up 2FA on SSH on my Ubuntu 18.04 LTS Server. I don't want to use Google Authenticator but Open Source solution.



      Are there any guides for just using something free and other than Google Authenticator?



      Thank you in advance.



      Regards,






      ssh







      share|improve this question














      I want to set up 2FA on SSH on my Ubuntu 18.04 LTS Server. I don't want to use Google Authenticator but Open Source solution.



      Are there any guides for just using something free and other than Google Authenticator?



      Thank you in advance.



      Regards,






      ssh




      ssh






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 11 at 23:37









      smunirsmunir

      11




      11






















          1 Answer
          1






          active

          oldest

          votes


















          1














          Those guides should work with other 2FA applications (such as FreeOTP) as well.



          Google Authenticator uses TOTP, and most 2FA applications such as the open-source FreeOTP use the same standard and you can use them in place of Google Authenticator.



          For completeness, here is a (modified) guide from DigitalOcean to set up FreeOTP. Note that SSH public key logins will not ask for a 2FA token, if you want to use public key authentication with 2FA, see DigitalOcean's guide (and disable password-based authentication).





          • Update Ubuntu's repositories and install libpam-google-authenticator (this works with other 2FA applications as well).



            sudo apt update && sudo apt install libpam-google-authenticator



          • Set up a TOTP key for your user:



            google-authenticator


            Answer yes to the Do you want authentication tokens to be time-based and Do you want me to update your "~/.google_authenticator" file questions.



          • Scan the (big) QR code (most GUI terminal emulators let you use Ctrl + - to zoom out and Ctrl + 0 to reset zoom) with FreeOTP or the 2FA application of your choice.


          • Write down the backup codes somewhere and store them securely.



          • Configure openssh-server to allow 2FA logins. You can remove nullok if you do not want to allow users without 2FA set up to log in.



            [ -e /etc/pam.d/sshd ] || echo '@include common-auth' | sudo tee /etc/pam.d/sshd
            
echo auth 'required pam_google_authenticator.so nullok' | sudo tee -a /etc/pam.d/sshd
            
sudo nano /etc/ssh/sshd_config


          • Find the ChallengeResponseAuthentication line and change it to ChallengeResponseAuthentication yes, then press Ctrl + O then Enter to save the file and Ctrl + X to close nano.



          • Restart sshd to apply the changes.



            sudo systemctl restart sshd


          • Open another terminal (so you still have access if it didn't work) and try to log in.







          share|improve this answer


























          • OathAuth and freeOTP didn't work.

            – smunir
            Jan 23 at 0:31











          • What didn't work / what error did you get?

            – luk3yx
            Jan 23 at 0:39











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "89"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1109013%2fubuntu-18-server-with-2fa-for-ssh%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          Those guides should work with other 2FA applications (such as FreeOTP) as well.



          Google Authenticator uses TOTP, and most 2FA applications such as the open-source FreeOTP use the same standard and you can use them in place of Google Authenticator.



          For completeness, here is a (modified) guide from DigitalOcean to set up FreeOTP. Note that SSH public key logins will not ask for a 2FA token, if you want to use public key authentication with 2FA, see DigitalOcean's guide (and disable password-based authentication).





          • Update Ubuntu's repositories and install libpam-google-authenticator (this works with other 2FA applications as well).



            sudo apt update && sudo apt install libpam-google-authenticator



          • Set up a TOTP key for your user:



            google-authenticator


            Answer yes to the Do you want authentication tokens to be time-based and Do you want me to update your "~/.google_authenticator" file questions.



          • Scan the (big) QR code (most GUI terminal emulators let you use Ctrl + - to zoom out and Ctrl + 0 to reset zoom) with FreeOTP or the 2FA application of your choice.


          • Write down the backup codes somewhere and store them securely.



          • Configure openssh-server to allow 2FA logins. You can remove nullok if you do not want to allow users without 2FA set up to log in.



            [ -e /etc/pam.d/sshd ] || echo '@include common-auth' | sudo tee /etc/pam.d/sshd
            
echo auth 'required pam_google_authenticator.so nullok' | sudo tee -a /etc/pam.d/sshd
            
sudo nano /etc/ssh/sshd_config


          • Find the ChallengeResponseAuthentication line and change it to ChallengeResponseAuthentication yes, then press Ctrl + O then Enter to save the file and Ctrl + X to close nano.



          • Restart sshd to apply the changes.



            sudo systemctl restart sshd


          • Open another terminal (so you still have access if it didn't work) and try to log in.







          share|improve this answer


























          • OathAuth and freeOTP didn't work.

            – smunir
            Jan 23 at 0:31











          • What didn't work / what error did you get?

            – luk3yx
            Jan 23 at 0:39
















          1














          Those guides should work with other 2FA applications (such as FreeOTP) as well.



          Google Authenticator uses TOTP, and most 2FA applications such as the open-source FreeOTP use the same standard and you can use them in place of Google Authenticator.



          For completeness, here is a (modified) guide from DigitalOcean to set up FreeOTP. Note that SSH public key logins will not ask for a 2FA token, if you want to use public key authentication with 2FA, see DigitalOcean's guide (and disable password-based authentication).





          • Update Ubuntu's repositories and install libpam-google-authenticator (this works with other 2FA applications as well).



            sudo apt update && sudo apt install libpam-google-authenticator



          • Set up a TOTP key for your user:



            google-authenticator


            Answer yes to the Do you want authentication tokens to be time-based and Do you want me to update your "~/.google_authenticator" file questions.



          • Scan the (big) QR code (most GUI terminal emulators let you use Ctrl + - to zoom out and Ctrl + 0 to reset zoom) with FreeOTP or the 2FA application of your choice.


          • Write down the backup codes somewhere and store them securely.



          • Configure openssh-server to allow 2FA logins. You can remove nullok if you do not want to allow users without 2FA set up to log in.



            [ -e /etc/pam.d/sshd ] || echo '@include common-auth' | sudo tee /etc/pam.d/sshd
            
echo auth 'required pam_google_authenticator.so nullok' | sudo tee -a /etc/pam.d/sshd
            
sudo nano /etc/ssh/sshd_config


          • Find the ChallengeResponseAuthentication line and change it to ChallengeResponseAuthentication yes, then press Ctrl + O then Enter to save the file and Ctrl + X to close nano.



          • Restart sshd to apply the changes.



            sudo systemctl restart sshd


          • Open another terminal (so you still have access if it didn't work) and try to log in.







          share|improve this answer


























          • OathAuth and freeOTP didn't work.

            – smunir
            Jan 23 at 0:31











          • What didn't work / what error did you get?

            – luk3yx
            Jan 23 at 0:39














          1












          1








          1







          Those guides should work with other 2FA applications (such as FreeOTP) as well.



          Google Authenticator uses TOTP, and most 2FA applications such as the open-source FreeOTP use the same standard and you can use them in place of Google Authenticator.



          For completeness, here is a (modified) guide from DigitalOcean to set up FreeOTP. Note that SSH public key logins will not ask for a 2FA token, if you want to use public key authentication with 2FA, see DigitalOcean's guide (and disable password-based authentication).





          • Update Ubuntu's repositories and install libpam-google-authenticator (this works with other 2FA applications as well).



            sudo apt update && sudo apt install libpam-google-authenticator



          • Set up a TOTP key for your user:



            google-authenticator


            Answer yes to the Do you want authentication tokens to be time-based and Do you want me to update your "~/.google_authenticator" file questions.



          • Scan the (big) QR code (most GUI terminal emulators let you use Ctrl + - to zoom out and Ctrl + 0 to reset zoom) with FreeOTP or the 2FA application of your choice.


          • Write down the backup codes somewhere and store them securely.



          • Configure openssh-server to allow 2FA logins. You can remove nullok if you do not want to allow users without 2FA set up to log in.



            [ -e /etc/pam.d/sshd ] || echo '@include common-auth' | sudo tee /etc/pam.d/sshd
            
echo auth 'required pam_google_authenticator.so nullok' | sudo tee -a /etc/pam.d/sshd
            
sudo nano /etc/ssh/sshd_config


          • Find the ChallengeResponseAuthentication line and change it to ChallengeResponseAuthentication yes, then press Ctrl + O then Enter to save the file and Ctrl + X to close nano.



          • Restart sshd to apply the changes.



            sudo systemctl restart sshd


          • Open another terminal (so you still have access if it didn't work) and try to log in.







          share|improve this answer















          Those guides should work with other 2FA applications (such as FreeOTP) as well.



          Google Authenticator uses TOTP, and most 2FA applications such as the open-source FreeOTP use the same standard and you can use them in place of Google Authenticator.



          For completeness, here is a (modified) guide from DigitalOcean to set up FreeOTP. Note that SSH public key logins will not ask for a 2FA token, if you want to use public key authentication with 2FA, see DigitalOcean's guide (and disable password-based authentication).





          • Update Ubuntu's repositories and install libpam-google-authenticator (this works with other 2FA applications as well).



            sudo apt update && sudo apt install libpam-google-authenticator



          • Set up a TOTP key for your user:



            google-authenticator


            Answer yes to the Do you want authentication tokens to be time-based and Do you want me to update your "~/.google_authenticator" file questions.



          • Scan the (big) QR code (most GUI terminal emulators let you use Ctrl + - to zoom out and Ctrl + 0 to reset zoom) with FreeOTP or the 2FA application of your choice.


          • Write down the backup codes somewhere and store them securely.



          • Configure openssh-server to allow 2FA logins. You can remove nullok if you do not want to allow users without 2FA set up to log in.



            [ -e /etc/pam.d/sshd ] || echo '@include common-auth' | sudo tee /etc/pam.d/sshd
            
echo auth 'required pam_google_authenticator.so nullok' | sudo tee -a /etc/pam.d/sshd
            
sudo nano /etc/ssh/sshd_config


          • Find the ChallengeResponseAuthentication line and change it to ChallengeResponseAuthentication yes, then press Ctrl + O then Enter to save the file and Ctrl + X to close nano.



          • Restart sshd to apply the changes.



            sudo systemctl restart sshd


          • Open another terminal (so you still have access if it didn't work) and try to log in.








          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 14 mins ago

























          answered Jan 12 at 0:52









          luk3yxluk3yx

          331215




          331215













          • OathAuth and freeOTP didn't work.

            – smunir
            Jan 23 at 0:31











          • What didn't work / what error did you get?

            – luk3yx
            Jan 23 at 0:39



















          • OathAuth and freeOTP didn't work.

            – smunir
            Jan 23 at 0:31











          • What didn't work / what error did you get?

            – luk3yx
            Jan 23 at 0:39

















          OathAuth and freeOTP didn't work.

          – smunir
          Jan 23 at 0:31





          OathAuth and freeOTP didn't work.

          – smunir
          Jan 23 at 0:31













          What didn't work / what error did you get?

          – luk3yx
          Jan 23 at 0:39





          What didn't work / what error did you get?

          – luk3yx
          Jan 23 at 0:39


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Ask Ubuntu!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1109013%2fubuntu-18-server-with-2fa-for-ssh%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Why do type traits not work with types in namespace scope?What are POD types in C++?Why can templates only be...

          Image
          What does it mean to express a gate in Dirac notation? A Strange Latex Symbol How can Republicans who favour free markets, consistently express anger when they don't like the outcome of that choice? What happened to Captain America in Endgame? How to solve constants out of the internal energy equation? How can I place the product on a social media post better? Will tsunami waves travel forever if there was no land? Unexpected email from Yorkshire Bank What is the relationship between spectral sequences and obstruction theory? How can I practically buy stocks? Will a top journal at least re
          Read more

          Will tsunami waves travel forever if there was no land?Why do tsunami waves begin with the water flowing away...

          Image
          How much cash can I safely carry into the USA and avoid civil forfeiture? Is there really no use for MD5 anymore? Is contacting this expert in the field something acceptable or would it be discourteous? How to pronounce 'C++' in Spanish How to creep the reader out with what seems like a normal person? Critique of timeline aesthetic Sci fi novel series with instant travel between planets through gates. A river runs through the gates How did Captain America manage to do this? Are Boeing 737-800’s grounded? Error message with tabularx How to make a pipeline wait for end-of-file or stop af
          Read more

          Should I use Docker or LXD?How to cache (more) data on SSD/RAM to avoid spin up?Unable to get Windows File...

          Image
          kill -0 <PID> は何をするのでしょうか? Why avoid shared user accounts? Using only 1s, make 29 with the minimum number of digits Cookies - Should the toggles be on? Can I string the DnD Starter Set campaign into another modules, keeping the same characters? Why do neural networks need so many training examples to perform? Intern applicant asking for compensation equivalent to that of permanent employee Why would space fleets be aligned? It took me a lot of time to make this, pls like. (YouTube Comments #1) Can a long polymer chain interact with itself via van der Waals forces? What is the purpose of
          Read more