Setting Up Google Authenticator for SSH and Sudo Access on Linux#

Two-factor authentication (2FA) adds an essential layer of security to your system access. This guide demonstrates how to implement Google Authenticator for both SSH and sudo access on Linux systems, providing robust protection against unauthorized access attempts.

Understanding the Components#

1
graph TD
2
    A[User Access Request] --> B[Password Authentication]
3
    B --> C[Google Authenticator]
4
    C --> D[Access Granted]
5

6
    E[Components] --> F[PAM Module]
7
    E --> G[SSH Configuration]
8
    E --> H[Google Auth App]
9

10
    F --> I[System Authentication]
11
    G --> I
12
    H --> C

Prerequisites#

Before starting the implementation, ensure you have:

Root or sudo access to the system
Package manager access (dnf, apt, etc.)
Google Authenticator app on your mobile device

Installation Steps#

1. Installing Required Packages#

1
# For Rocky Linux/CentOS/RHEL
2
sudo dnf install google-authenticator qrencode -y
3

4
# For Ubuntu/Debian
5
sudo apt install libpam-google-authenticator qrencode -y

2. Configuring PAM for SSH#

Create a backup of your PAM SSH configuration:

1
# Backup original configuration
2
sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
3

4
# Configure PAM for SSH
5
sudo tee /etc/pam.d/sshd > /dev/null << 'EOF'
6
#%PAM-1.0
7
auth required pam_google_authenticator.so nullok
8
auth include system-auth
9
account include system-auth
10
password include system-auth
11
session include system-auth
12
EOF

3. Configuring PAM for Sudo#

Create a backup and configure sudo PAM:

1
# Backup original configuration
2
sudo cp /etc/pam.d/sudo /etc/pam.d/sudo.bak
3

4
# Configure PAM for sudo
5
sudo tee /etc/pam.d/sudo > /dev/null << 'EOF'
6
#%PAM-1.0
7
auth required pam_google_authenticator.so nullok
8
auth include system-auth
9
account include system-auth
10
password include system-auth
11
session include system-auth
12
EOF

4. Configuring SSH Daemon#

Modify the SSH daemon configuration:

1
# Backup sshd_config
2
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
3

4
# Update SSH configuration
5
sudo sed -i 's/^ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
6
sudo sed -i 's/^UsePAM no/UsePAM yes/' /etc/ssh/sshd_config
7

8
# Restart SSH daemon
9
sudo systemctl restart sshd

5. Setting Up Google Authenticator#

Run the configuration utility:

1
google-authenticator

Answer the configuration questions as follows:

1
Do you want authentication tokens to be time-based? y
2
Do you want to update your "~/.google_authenticator" file? y
3
Do you want to disallow multiple uses of the same authentication token? y
4
By default, a new token is generated every 30 seconds by the mobile app. Do you want to do so? y
5
Do you want to enable rate-limiting? y

Testing the Configuration#

1. Testing SSH Access#

Open a new terminal and attempt to SSH into your server:

1
ssh username@your-server
2
Password: [Enter your password]
3
Verification code: [Enter code from Google Authenticator app]

2. Testing Sudo Access#

Try using sudo with your new configuration:

1
sudo ls
2
[sudo] password for username: [Enter your password]
3
Verification code: [Enter code from Google Authenticator app]

Troubleshooting Common Issues#

Issue 1: Authentication Fails#

If authentication fails, check the PAM configuration:

1
# Check PAM logs
2
sudo tail -f /var/log/auth.log
3

4
# Verify PAM module is loaded
5
ldd /usr/lib64/security/pam_google_authenticator.so

Issue 2: SSH Access Issues#

If you can’t access SSH after configuration:

1
# Access server console and check SSH status
2
sudo systemctl status sshd
3

4
# Check SSH configuration
5
sudo sshd -T | grep -E 'challengeresponseauthentication|usepam'

Issue 3: Unknown Defaults Entry Error#

If you see “unknown defaults entry ‘auth_type’” error:

1
# Edit sudoers file safely
2
sudo visudo
3

4
# Comment out or remove the auth_type line if present
5
# Defaults    auth_type=auth

Security Best Practices#

1. Backup Recovery Codes#

1
# Create a secure location for backup codes
2
sudo mkdir -p /root/.2fa-backups
3
sudo cp ~/.google_authenticator /root/.2fa-backups/$(whoami)-google-authenticator
4
sudo chmod 600 /root/.2fa-backups/$(whoami)-google-authenticator

2. Rate Limiting Configuration#

Add rate limiting to prevent brute force attacks:

1
# Edit Google Authenticator configuration
2
sudo nano ~/.google_authenticator
3

4
# Add rate limiting parameters
5
RATE_LIMIT 3 30
6
DISALLOW_REUSE

3. Monitoring and Logging#

Set up logging for authentication attempts:

1
# Configure rsyslog for authentication logging
2
sudo tee /etc/rsyslog.d/auth-logging.conf > /dev/null << 'EOF'
3
auth,authpriv.*                 /var/log/auth.log
4
EOF
5

6
# Restart rsyslog
7
sudo systemctl restart rsyslog

4. Session Management#

Configure session timeouts:

1
# Add to /etc/profile.d/timeout.sh
2
sudo tee /etc/profile.d/timeout.sh > /dev/null << 'EOF'
3
TMOUT=900
4
readonly TMOUT
5
export TMOUT
6
EOF
7

8
# Make it executable
9
sudo chmod +x /etc/profile.d/timeout.sh

Recovery Procedures#

1. Creating Emergency Access#

Set up emergency access for administrators:

1
# Create backup access configuration
2
sudo mkdir -p /root/.ssh/emergency
3
sudo ssh-keygen -t ed25519 -f /root/.ssh/emergency/recovery_key
4
sudo cat /root/.ssh/emergency/recovery_key.pub >> /root/.ssh/authorized_keys

2. Recovery Process#

If 2FA fails, use recovery codes:

1
# View recovery codes
2
cat ~/.google_authenticator
3

4
# Reset Google Authenticator if needed
5
rm ~/.google_authenticator
6
google-authenticator

Automation and Deployment#

1. Automated Setup Script#

Create a deployment script:

1
#!/bin/bash
2
# Check if running as root
3
if [ "$EUID" -ne 0 ]; then
4
  echo "Please run as root"
5
  exit 1
6
fi
7

8
# Install required packages
9
dnf install -y google-authenticator qrencode
10

11
# Configure PAM
12
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
13
cp /etc/pam.d/sudo /etc/pam.d/sudo.bak
14

15
# Configure SSH
16
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
17
sed -i 's/^ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
18
sed -i 's/^UsePAM no/UsePAM yes/' /etc/ssh/sshd_config
19

20
# Update PAM configurations
21
cat > /etc/pam.d/sshd << 'EOF'
22
#%PAM-1.0
23
auth required pam_google_authenticator.so nullok
24
auth include system-auth
25
account include system-auth
26
password include system-auth
27
session include system-auth
28
EOF
29

30
cat > /etc/pam.d/sudo << 'EOF'
31
#%PAM-1.0
32
auth required pam_google_authenticator.so nullok
33
auth include system-auth
34
account include system-auth
35
password include system-auth
36
session include system-auth
37
EOF
38

39
# Restart services
40
systemctl restart sshd
41

42
echo "2FA configuration complete. Run 'google-authenticator' for each user."

2. User Setup Script#

Create a script for user setup:

1
#!/bin/bash
2
# Generate Google Authenticator configuration
3
google-authenticator -t -d -f -r 3 -R 30 -w 3
4

5
# Create backup
6
sudo cp ~/.google_authenticator /root/.2fa-backups/$(whoami)-google-authenticator
7
sudo chmod 600 /root/.2fa-backups/$(whoami)-google-authenticator
8

9
echo "2FA setup complete for user $(whoami)"

Conclusion#

Implementing Google Authenticator 2FA provides a robust security layer for both SSH and sudo access. The configuration process requires careful attention to detail, but the enhanced security is worth the effort. Regular testing and maintenance of the 2FA system ensures continued protection of your infrastructure.

Remember to:

Keep backup codes in a secure location
Regularly update and maintain your 2FA configuration
Monitor authentication logs for unusual activity
Train users on proper 2FA usage and recovery procedures