I love 2 factor authentication and believe it’s one of the best way forward to securing access. 2 Factor authentication combines something you know such as a password with something you have like fingerprint. In this case SSh will still request a password but the something you have part will be the numeric code provide by Google’s Authenticator application which changes every minute. Google Authenticator is similar to the popular RSA tokens.
The PAM module for Google authenticator is already in the Ubuntu repository. To install this module run the following command
sudo apt-get install libpam-google-authenticator
Next part is to configure the 2 factor authentication. This is done on a per user basis and therefore all the commands from here on out will be done as the user who will be using the 2 factor authentication.
A series of questions will follow which explain very clearly on what they are and what they mean. Generally answering ‘y’ to all of them will suffice.
Edit /etc/pam.d/sshd and add the following to the file
auth required pam_google_authenticator.so Save and exit the file
Next edit /etc/ssh/sshd_config and find ChallengeResponseAuthentication and change it to yes if necessary. If the line does not exist then add it to the file.
Restart SSH service. This may disconnect a remote session
sudo service ssh restart
To create a new code and run the google-authenticator command again as the same user. If the code is lost, the only way to gain access is to login as a different user and su (switch user) and run the setup again.
Undo the changes in the section to Activate Google Authenticator and restart SSh service.
This is a very simple and easy to use setup and provides additional layer of security.