Knowledge Base

How to enable two-factor authentication for SSH

This article describes how to enable and disable two-factor authentication for SSH on a semi-managed server.

This article only applies to products listed in the Article Details sidebar. You must have root access to the server to follow these procedures.

About two-factor authentication

By default, when users access your semi-managed VPS, Cloud VPS, or Flex Dedicated server using SSH, they type a username and password to log in.

Two-factor authentication provides an extra layer of security, because in addition to knowing the correct username and password, users must provide another piece of information. This piece of information is a temporary, numeric password generated independently on the server and on a mobile device, such as a smartphone or tablet.

As a result, in order for a potential attacker to access your server, he or she would not only need to obtain something you know (your username and password), but also something you have (your mobile device). This two-factor approach to logins significantly enhances your server's security, and makes brute-force attacks much more difficult.

Enabling two-factor authentication for SSH

To enable two-factor authentication with SSH on your server, do the following steps in the order in which they are presented.

Step 1: Disable root logins for SSH

If you haven't done so already, you should disable root SSH logins on your server and create a normal user account. For information about how to do this, please see this article.

Step 2: Install an authenticator app on a mobile device

You use an authenticator app on your smartphone or tablet to generate a one-time password that you use to log in (this is the “second factor” for authentication, in addition to your username and password).

Step 3: Enable two-factor authentication on the server

To enable two-factor authentication on the server, follow these steps:

  1. Log in to your server using SSH.
  2. As the root user, install the Google Authenticator package:
    • For Debian and Ubuntu, type the following command:
      apt-get install libpam-google-authenticator
      
    • For CentOS and Fedora, the EPEL repository contains a very old version of Google Authenticator. To build a more recent version from the source code, type the following commands:

      yum install make gcc pam-devel
      cd /tmp
      wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
      bunzip2 libpam-google-authenticator-1.0-source.tar.bz2
      tar xf libpam-google-authenticator-1.0-source.tar
      cd libpam-google-authenticator-1.0
      make
      make install
      
    Google develops and maintains the Google Authenticator code, but it does not collect any information from your server.
  3. Stay logged in as the root user, and then in a separate window, log in to your server as a normal (that is, non-root) user.
  4. At the command prompt, type the following command:

    google-authenticator
  5. At the Do you want authentication tokens to be time-based? prompt, type y and then press Enter.
  6. The server generates a QR code image and emergency codes. On your mobile device, scan the QR code image and configure the account.

    Alternatively, if your device does not support reading QR codes, you can manually enter the alphanumeric secret key.
    Make sure you store the secret key and emergency codes in a safe place. You must have one of these emergency codes if you ever lose your mobile device, or if it is inaccessible for some reason. Otherwise, you will be unable to access your account.
  7. On the server, at the Do you want me to update your “/home/username/.google_authenticator” file? prompt, type y and then press Enter.
  8. At the Do you want to disallow multiple uses of the same authentication token? prompt, type y and then press Enter.
  9. At the By default, tokens are good for 30 seconds… prompt, type n and then press Enter.

    As the full prompt states, if you experience time synchronization problems (that is, you enter a code from your mobile device, but the server rejects it), you can increase the token validity interval from its default length of 90 seconds to around four minutes. The default value should work fine in most cases however, and is more secure.
  10. At the Do you want to enable rate-limiting? prompt, type y and then press Enter.
  11. As the root user, open the /etc/pam.d/sshd file in your preferred text editor.

    • Add the following line to the top of the file:
      auth required pam_google_authenticator.so nullok
    • Save your changes to the sshd file.
    The nullok setting enables users that have not configured two-factor authentication yet to still log in using only a username and password. It is a good idea to use this setting when you configure two-factor authentication for the first time. After you configure two-factor authentication for all of your users, you can remove the nullok setting to make two-factor authentication mandatory.
  12. As the root user, open the /etc/ssh/sshd_config file in your preferred text editor.

    • Locate the following line:
      ChallengeResponseAuthentication no
    • Modify the line as follows:

      ChallengeResponseAuthentication yes
    • Save your changes to the sshd_config file.
  13. As the root user, restart the SSH service:

    • For Debian and Ubuntu, type the following command:
      service ssh restart
      
    • For CentOS and Fedora, type the following command:

       service sshd restart
      
  14. While still logged in as the root user, in a separate window log in as the normal user and test the new configuration:

    • At the Verification code prompt, type the numeric password displayed by the authenticator app on your mobile device.
    • At the Password prompt, type the password for the user.
    If authentication fails, verify that you followed the previous steps correctly. Do not log out as the root user until you are sure the new authentication configuration is working correctly.

Disabling two-factor authentication for SSH

If you decide that you no longer want to use two-factor authentication with SSH, you can disable it. To do this, follow these steps:

  1. Log in to your server using SSH.
  2. As the root user, open the /etc/pam.d/sshd file in your preferred text editor.
    • Delete or comment out the following line at the top of the file:
      auth required pam_google_authenticator.so nullok
    • Save your changes to the sshd file.
  3. Open the /etc/ssh/sshd_config file in your preferred text editor.

    • Locate the following line:
      ChallengeResponseAuthentication yes
    • Modify the line as follows:

      ChallengeResponseAuthentication no
    • Save your changes to the sshd_config file.
  4. Restart the SSH service:

    • For Debian and Ubuntu, type the following command:
      service ssh restart
      
    • For CentOS and Fedora, type the following command:

       service sshd restart
      

    Two-factor authentication is now disabled for SSH.