Hardening SSH Access with Google Authenticator 2FA on Ubuntu

From Notes_Wiki

Home > Ubuntu > Hardening SSH Access with Google Authenticator 2FA on Ubuntu


Two-Factor Authentication (2FA) using Google Authenticator (Ubuntu 24.04 / 22.04 – SSH Login Protection)

Update the Server

apt update
apt upgrade -y

Install Google Authenticator PAM Module

apt install libpam-google-authenticator -y

Configure PAM for SSH 2FA

Backup PAM SSH configuration: 

cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

Edit the file: 

nano /etc/pam.d/sshd

Add the following line: 

auth required pam_google_authenticator.so nullok

Explanation:

  • required enforces TOTP validation
  • nullok allows users without a configured TOTP file to log in (needed for first-time setup)

Configure SSH to Enable Keyboard-Interactive Authentication

Backup SSH configuration: 

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Edit the file: 

nano /etc/ssh/sshd_config

Ensure the following settings are present and enabled: 

UsePAM yes
KbdInteractiveAuthentication yes

Optional but Recommended Ensure PasswordAuthentication is enabled if password + TOTP is required: 

PasswordAuthentication yes

Create a Script to Force TOTP Setup for Selected Users

Create the script: 

nano /usr/local/bin/force_totp_setup.sh

Add the following content: 

#!/bin/bash

USER_HOME=$(getent passwd "$USER" | cut -d: -f6)
GA_FILE="$USER_HOME/.google_authenticator"

if [ ! -f "$GA_FILE" ]; then
    echo ""
    echo "========================================="
    echo "TOTP is required on this server."
    echo "You must configure Google Authenticator now."
    echo "========================================="
    echo ""

    google-authenticator

    echo ""
    echo "TOTP setup completed."
    echo "Please logout and login again."
    echo ""

    exit 1
fi

exec /bin/bash

Save and set proper permissions: 

chmod +x /usr/local/bin/force_totp_setup.sh

Apply ForceCommand for Selected Users Only

Edit SSH configuration: 

nano /etc/ssh/sshd_config

Add at the bottom of the file: 

Match User user1,user2,userX
    ForceCommand /usr/local/bin/force_totp_setup.sh

Explanation:

  • Only listed users will be forced to configure TOTP
  • Other users remain unaffected

Restart SSH Service

systemctl restart sshd

First-Time Login Flow

User connects: 

ssh user1@<server-ip-address>

Login sequence:

  1. Enter password
  2. Script checks for ~/.google_authenticator
  3. If not present → QR code and secret key are displayed
  4. User scans QR in Google Authenticator app
  5. User completes setup
  6. Session exits automatically

Subsequent Login Flow

ssh user1@<server-ip-address>

Login sequence:

  1. Enter password
  2. Enter verification code (TOTP from mobile app)
  3. Access granted to shell

Security Notes

  • Remove nullok after all required users configure TOTP to strictly enforce 2FA
  • Ensure time synchronization is correct (install and enable chrony or systemd-timesyncd)
  • Test with a secondary SSH session before closing the active root session
  • Keep SSH config backup for recovery


Home > Ubuntu > Hardening SSH Access with Google Authenticator 2FA on Ubuntu

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Hardening_SSH_Access_with_Google_Authenticator_2FA_on_Ubuntu&oldid=10031"