How to Setup Two Factor Authentication for SSH on Fedora

Every day there seem to be lots of security breaches reported where our data is at danger. Despite the fact that SSH is a secure way to establish a connection remotely to a Linux system, but still, an unknown user can gain access to your Linux machine if they steal your SSH keys, even if you disable passwords or only allow SSH connections over public and private keys.

In this article, we will explain how to set up two-factor authentication (2FA) for SSH on Fedora Linux distribution using Google Authenticator to access a remote Linux system in a more secure way by providing a TOTP (The Time-based One-time Password) number generated randomly by an authenticator application on a mobile device.

Read Also: How to Setup Two-Factor Authentication for SSH Logins in CentOS and Debian

Note that, you can use any two-way authentication application for your mobile device that is compatible with the TOTP algorithm. There are numerous free apps available for Android or IOS that supports TOTP and Google Authenticator, but this article uses Google Authenticator as an example.

Installing Google Authenticator on Fedora

First, install the Google Authenticator application on your Fedora server using following dnf command.

$ sudo dnf install -y google-authenticator
Install Google Authenticator in Fedora

Install Google Authenticator in Fedora

Once Google Authenticator installed, you can now run the application.

$ google-authenticator

The application prompts you with a number of questions. The following snippets show you how to answer for a reasonably secure setup.

Do you want authentication tokens to be time-based (y/n) y Do you want me to update your "/home/user/.google_authenticator" file (y/n)? y
Generate Authentication Tokens

Generate Authentication Tokens

The application provides you with a secret key, verification code, and recovery codes. Keep these keys in a secure safe location, as these keys are the only way to access your server if you lose your mobile device.

Setting Up Mobile Phone Authentication

On your Mobile phone, go to app store Google Play or iTunes and search for Google Authenticator and install the application.

Now open Google Authenticator application on your mobile phone and scan the QR code displayed on the Fedora terminal screen. Once the QR code scan is complete, you will get a randomly generated number by the authenticator application and use this number every time you connect to your Fedora server remotely.

Scan QR Code Using Authenticator

Scan QR Code Using Authenticator

Finish Google Authenticator Configuration

The Google Authenticator application prompts further questions and the following example shows how to answer them to setup secure configuration.

Finish Google Authenticator-Setup

Finish Google Authenticator-Setup

Now you need to configure SSH to use the new two-way authentication as explained below.

Configure SSH to Use Google Authenticator

To configure SSH to use authenticator application, first you need to have a working SSH connection using public SSH keys, as we will be disabling password connections.

Open /etc/pam.d/sshd file on your server.

$ sudo vi /etc/pam.d/sshd

Comment out the auth substack password-auth line in the file.

#auth       substack     password-auth

Next, place the following line to the end of the file.

auth sufficient pam_google_authenticator.so

Save and close the file.

Next, open and edit the /etc/ssh/sshd_config file.

$ sudo vi /etc/ssh/sshd_config

Search for the ChallengeResponseAuthentication line and change it to yes.

ChallengeResponseAuthentication yes

Search for the PasswordAuthentication line and change it to no.

PasswordAuthentication no

Next, place the following line to the end of the file.

AuthenticationMethods publickey,password publickey,keyboard-interactive

Save and close the file, and then restart SSH.

$ sudo systemctl restart sshd

Testing Two-factor Authentication on Fedora

Now try to connect to your server remotely, it will ask you to enter a verification code.

$ ssh [email protected]

Verification code:

The verification code is generated randomly on your mobile phone by your authenticator application. Since generated code changes every few seconds, you need to enter it quickly before it creates a new one.

Authenticator Verification Code

Authenticator Verification Code

If you enter the wrong verification code, you will not able to connect to the system, and you will get a following permission denied error.

$ ssh [email protected]

Verification code:
Verification code:
Verification code:
Permission denied (keyboard-interactive).
Conclusion

By implementing this easy two-way authentication, you have added an extra layer of security to your system and as well as this makes more difficult for an unknown user to gain access to your server.

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Ravi Saive

I am Ravi Saive, creator of TecMint. A Computer Geek and Linux Guru who loves to share tricks and tips on Internet. Most Of My Servers runs on Open Source Platform called Linux. Follow Me: Twitter, Facebook and Google+

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

5 Responses

  1. Ramesh says:

    How secure is Google authenticator app as this needs Internet connection on secure zone linux servers and is it possible without Internet connection too?

    • Ravi Saive says:

      @Ramesh,

      It’s Google app, so there is no issue about security. I haven’t tested it without internet, but I think it should work without internet connection also. Give a try and see..

  2. Sum Yung Gai says:

    Google Authenticator is no longer open source, so I would not run it on my systems anymore. I have done 2FA on CentOS and RHEL systems using US Government PIV/CAC cards, all with open source software that comes with CentOS/RHEL (coolkey driver). It’s not that hard, and I imagine that the new replacement driver, called OpenSC, is available in the latest Fedora (it’s present in RHEL 7.4).

  3. J Billheim says:

    Anyone using Authy vice Google Authenticator to do this?

  4. Loweel says:

    What you set is a single factor authentication, not double. Double factor means

    – Something you know (password)
    – Something you have (your OTP device).

    What you do is to use only the OTP. This is single factor. Keep the password there, and you have two factors.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.