Setting Up Google Authenticator for SSH and Sudo Access on Linux
Two-factor authentication (2FA) adds an essential layer of security to your system access. This guide demonstrates how to implement Google Authenticator for both SSH and sudo access on Linux systems, providing robust protection against unauthorized access attempts.
Understanding the Components
graph TD A[User Access Request] --> B[Password Authentication] B --> C[Google Authenticator] C --> D[Access Granted]
E[Components] --> F[PAM Module] E --> G[SSH Configuration] E --> H[Google Auth App]
F --> I[System Authentication] G --> I H --> C
Prerequisites
Before starting the implementation, ensure you have:
- Root or sudo access to the system
- Package manager access (dnf, apt, etc.)
- Google Authenticator app on your mobile device
Installation Steps
1. Installing Required Packages
# For Rocky Linux/CentOS/RHELsudo dnf install google-authenticator qrencode -y
# For Ubuntu/Debiansudo apt install libpam-google-authenticator qrencode -y
2. Configuring PAM for SSH
Create a backup of your PAM SSH configuration:
# Backup original configurationsudo cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
# Configure PAM for SSHsudo tee /etc/pam.d/sshd > /dev/null << 'EOF'#%PAM-1.0auth required pam_google_authenticator.so nullokauth include system-authaccount include system-authpassword include system-authsession include system-authEOF
3. Configuring PAM for Sudo
Create a backup and configure sudo PAM:
# Backup original configurationsudo cp /etc/pam.d/sudo /etc/pam.d/sudo.bak
# Configure PAM for sudosudo tee /etc/pam.d/sudo > /dev/null << 'EOF'#%PAM-1.0auth required pam_google_authenticator.so nullokauth include system-authaccount include system-authpassword include system-authsession include system-authEOF
4. Configuring SSH Daemon
Modify the SSH daemon configuration:
# Backup sshd_configsudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# Update SSH configurationsudo sed -i 's/^ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_configsudo sed -i 's/^UsePAM no/UsePAM yes/' /etc/ssh/sshd_config
# Restart SSH daemonsudo systemctl restart sshd
5. Setting Up Google Authenticator
Run the configuration utility:
google-authenticator
Answer the configuration questions as follows:
Do you want authentication tokens to be time-based? yDo you want to update your "~/.google_authenticator" file? yDo you want to disallow multiple uses of the same authentication token? yBy default, a new token is generated every 30 seconds by the mobile app. Do you want to do so? yDo you want to enable rate-limiting? y
Testing the Configuration
1. Testing SSH Access
Open a new terminal and attempt to SSH into your server:
ssh username@your-serverPassword: [Enter your password]Verification code: [Enter code from Google Authenticator app]
2. Testing Sudo Access
Try using sudo with your new configuration:
sudo ls[sudo] password for username: [Enter your password]Verification code: [Enter code from Google Authenticator app]
Troubleshooting Common Issues
Issue 1: Authentication Fails
If authentication fails, check the PAM configuration:
# Check PAM logssudo tail -f /var/log/auth.log
# Verify PAM module is loadedldd /usr/lib64/security/pam_google_authenticator.so
Issue 2: SSH Access Issues
If you can’t access SSH after configuration:
# Access server console and check SSH statussudo systemctl status sshd
# Check SSH configurationsudo sshd -T | grep -E 'challengeresponseauthentication|usepam'
Issue 3: Unknown Defaults Entry Error
If you see “unknown defaults entry ‘auth_type’” error:
# Edit sudoers file safelysudo visudo
# Comment out or remove the auth_type line if present# Defaults auth_type=auth
Security Best Practices
1. Backup Recovery Codes
# Create a secure location for backup codessudo mkdir -p /root/.2fa-backupssudo cp ~/.google_authenticator /root/.2fa-backups/$(whoami)-google-authenticatorsudo chmod 600 /root/.2fa-backups/$(whoami)-google-authenticator
2. Rate Limiting Configuration
Add rate limiting to prevent brute force attacks:
# Edit Google Authenticator configurationsudo nano ~/.google_authenticator
# Add rate limiting parametersRATE_LIMIT 3 30DISALLOW_REUSE
3. Monitoring and Logging
Set up logging for authentication attempts:
# Configure rsyslog for authentication loggingsudo tee /etc/rsyslog.d/auth-logging.conf > /dev/null << 'EOF'auth,authpriv.* /var/log/auth.logEOF
# Restart rsyslogsudo systemctl restart rsyslog
4. Session Management
Configure session timeouts:
# Add to /etc/profile.d/timeout.shsudo tee /etc/profile.d/timeout.sh > /dev/null << 'EOF'TMOUT=900readonly TMOUTexport TMOUTEOF
# Make it executablesudo chmod +x /etc/profile.d/timeout.sh
Recovery Procedures
1. Creating Emergency Access
Set up emergency access for administrators:
# Create backup access configurationsudo mkdir -p /root/.ssh/emergencysudo ssh-keygen -t ed25519 -f /root/.ssh/emergency/recovery_keysudo cat /root/.ssh/emergency/recovery_key.pub >> /root/.ssh/authorized_keys
2. Recovery Process
If 2FA fails, use recovery codes:
# View recovery codescat ~/.google_authenticator
# Reset Google Authenticator if neededrm ~/.google_authenticatorgoogle-authenticator
Automation and Deployment
1. Automated Setup Script
Create a deployment script:
#!/bin/bash# Check if running as rootif [ "$EUID" -ne 0 ]; then echo "Please run as root" exit 1fi
# Install required packagesdnf install -y google-authenticator qrencode
# Configure PAMcp /etc/pam.d/sshd /etc/pam.d/sshd.bakcp /etc/pam.d/sudo /etc/pam.d/sudo.bak
# Configure SSHcp /etc/ssh/sshd_config /etc/ssh/sshd_config.baksed -i 's/^ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_configsed -i 's/^UsePAM no/UsePAM yes/' /etc/ssh/sshd_config
# Update PAM configurationscat > /etc/pam.d/sshd << 'EOF'#%PAM-1.0auth required pam_google_authenticator.so nullokauth include system-authaccount include system-authpassword include system-authsession include system-authEOF
cat > /etc/pam.d/sudo << 'EOF'#%PAM-1.0auth required pam_google_authenticator.so nullokauth include system-authaccount include system-authpassword include system-authsession include system-authEOF
# Restart servicessystemctl restart sshd
echo "2FA configuration complete. Run 'google-authenticator' for each user."
2. User Setup Script
Create a script for user setup:
#!/bin/bash# Generate Google Authenticator configurationgoogle-authenticator -t -d -f -r 3 -R 30 -w 3
# Create backupsudo cp ~/.google_authenticator /root/.2fa-backups/$(whoami)-google-authenticatorsudo chmod 600 /root/.2fa-backups/$(whoami)-google-authenticator
echo "2FA setup complete for user $(whoami)"
Conclusion
Implementing Google Authenticator 2FA provides a robust security layer for both SSH and sudo access. The configuration process requires careful attention to detail, but the enhanced security is worth the effort. Regular testing and maintenance of the 2FA system ensures continued protection of your infrastructure.
Remember to:
- Keep backup codes in a secure location
- Regularly update and maintain your 2FA configuration
- Monitor authentication logs for unusual activity
- Train users on proper 2FA usage and recovery procedures