Home » Blog » Securing Ubuntu 18.04 with SSH 2FA

Information

Securing Ubuntu 18.04 with SSH 2FA

Benhcmark Administrator

09/09/2025

0 Views 0

SaveSavedRemoved 0

Boost Your Server Security: A Step-by-Step Guide to SSH 2FA on Ubuntu

In today’s digital landscape, securing remote access to your servers is not just a best practice—it’s a necessity. While a strong password for SSH is a good first step, it’s vulnerable to brute-force attacks and credential theft. To truly fortify your server, you need an additional layer of defense.

This is where Two-Factor Authentication (2FA) comes in. By requiring a second, time-sensitive code from a separate device (like your smartphone), you make it exponentially harder for unauthorized users to gain access, even if they manage to steal your password.

This guide will walk you through the process of setting up Google Authenticator for SSH on your Ubuntu server, adding a critical security layer to protect your valuable data.

What You’ll Need

Before we begin, make sure you have the following:

• An Ubuntu server (this guide is tested on 18.04, 20.04, and 22.04).
• Access to a user account with sudo privileges.
• A smartphone with an authenticator app installed (e.g., Google Authenticator, Authy, or Microsoft Authenticator).

Step 1: Install the Google Authenticator Module

The first step is to install the necessary Pluggable Authentication Module (PAM) that allows Ubuntu to integrate with Google Authenticator.

Open your terminal and run the following command to update your package list and install the module:

sudo apt update && sudo apt install libpam-google-authenticator

This single command installs everything you need to get started.

Step 2: Configure 2FA for Your User Account

With the module installed, you now need to configure it for the user account you want to protect. This process generates a unique secret key and links it to your authenticator app.

Run the following command in your terminal. Do not run this with sudo, as it needs to be configured for your specific user account.

google-authenticator

You will be asked a series of questions. Here are the recommended answers for a secure setup:

1. “Do you want authentication tokens to be time-based (y/n) y”
   • Press y. Time-based tokens (TOTP) are the standard and most secure option.

After you answer yes, you will see a large QR code, a secret key, a verification code, and five emergency scratch codes.

ACTION REQUIRED: This is the most critical step.

• Scan the QR code with your authenticator app. This will add the new account to your app, which will begin generating 6-digit codes.
• Securely save the secret key and the emergency scratch codes. Store these in a safe place, like a password manager or a secure physical location. If you lose your phone, these codes are your only way to regain access to your server.

Now, continue answering the remaining questions in the terminal:

2. “Do you want me to update your “/home/youruser/.googleauthenticator” file? (y/n) y”

   • Press y to save the configuration.

3. “Do you want to disallow multiple uses of the same authentication token? … (y/n) y”

   • Press y. This is a vital security measure that prevents replay attacks.

4. “By default, tokens are good for 30 seconds… Do you want to authorize a window of 1:30 min? (y/n) y”

   • Press y. This allows for a small time skew between your server and your phone, preventing login failures due to minor clock drift.

5. “Do you want to enable rate-limiting for the authentication module? (y/n) y”

   • Press y. This helps protect against brute-force attempts on the 2FA code itself by limiting login attempts.

Step 3: Configure SSH to Use the New Module

Now you need to tell the SSH service to use the Google Authenticator module you just configured. This involves editing two separate files.

First, enable the PAM module for SSH. Open the SSH PAM configuration file with a text editor like nano:

sudo nano /etc/pam.d/sshd

Add the following line to the top of the file:

auth required pam_google_authenticator.so

Save and close the file (Ctrl+X, then Y, then Enter in nano).

Second, enable challenge-response authentication in the main SSH configuration. This allows SSH to prompt you for the verification code.

Open the sshd_config file:

sudo nano /etc/ssh/sshd_config

Find the line that says ChallengeResponseAuthentication and change its value from no to yes. It should look like this:

ChallengeResponseAuthentication yes

If the line is commented out with a #, be sure to remove the # at the beginning.

Save and close the file.

Step 4: Restart the SSH Service to Apply Changes

For the new configurations to take effect, you must restart the SSH service.

sudo systemctl restart sshd

IMPORTANT SECURITY TIP: Do not close your current SSH session yet! If there is an error in your configuration, you could be locked out of your server. Keep your current session open while you test the new login process in a separate terminal window.

Step 5: Test Your New 2FA-Secured Login

Open a new terminal window and try to SSH into your server as you normally would.

You will now be prompted for two things in order:

1. Password: Enter your user password first.
2. Verification code: Enter the 6-digit code from your authenticator app.

If you entered both correctly, you will be successfully logged in.

Congratulations! You have successfully added a powerful layer of two-factor authentication to your SSH service. This simple change dramatically improves your server’s security posture and provides peace of mind against unauthorized access.

Source: https://kifarunix.com/enable-ssh-2-factor-authentication-on-ubuntu-18-04/