How to enable two-factor authentication for SSH in Fedora Linux

Whether you use Fedora Linux for a desktop or server, you should consider enabling two-factor authentication for Secure Shell (SSH) login. Why? Because SSH is the primary means of remotely logging into a server, and the last thing you want is to leave that service open for attacks.

One way to better lock that down is by enabling two-factor authentication for SSH. I want to walk you through the steps of doing just that, so you can enjoy more security with your Fedora desktops and servers.

What you need

To make this work, you need the following:

• An instance of Fedora up and running.
• A user account with sudo access.
• A third-party authenticator app (such as Authy) on your mobile device.

Let’s make this work.

A word of warning

Before you get into this, I highly recommend this set up is done when you have physical access to the Fedora machine in question. Should something go awry, you want to be able to log into the machine directly, so you can troubleshoot the issue.

Installation

The first step is to install the Google Authenticator. Open a terminal window and issue the following command:

sudo dnf install google-authenticator nano -y

Once that installation completes, run the tool with the command:

google-authenticator

You will be asked the following questions (answer yes to each):

Do you want authentication tokens to be time-based (y/n) y
Do you want me to update your "/home/user/.google_authenticator" file (y/n)? y

The app will then display a QR code, which you will need to scan into Authy (on your mobile device). You will also be provided with a list of secret codes, which you will need to copy and save in a secret, secure location. Once you successfully scan the QR code and save the recovery codes, you’ll be asked three more questions (again, answer yes to each).

Configure SSH

Before you do this, make sure that you can SSH into the Fedora machine. Out of the box, the SSH daemon might not be running, so start and enable it with the following commands:

sudo systemctl start sshd
sudo systemctl enable sshd

Once SSH is running and enabled, make sure to copy your SSH key to this machine (for SSH key authentication), from any/all machine(s) you plan on using to gain remote access. This can be done by running the following command from each machine that will need access:

ssh-copy-id USER@FEDORA_IP

Where USER is the username on the Fedora machine and FEDORA_IP is the IP address of your Fedora machine.

Once you are able to SSH into the Fedora machine using SSH key authentication, it’s time to configure SSH to use two-factor authentication. From the terminal window (on the Fedora machine), issue the command:

sudo nano /etc/pam.d/sshd

Comment out the first line (by adding a # symbole at the beginning). That line will now look like:

#auth substack password-auth

At the bottom of the file, add the following line:

auth sufficient pam_google_authenticator.so

Save and close that file.

Next, we need to configure the SSH daemon. Issue the command:

sudo nano /etc/ssh/sshd_config

First, change the ChallengeResponseAuthentication from no to yes like so:

ChallengeResponseAuthentication yes

Next, change PasswordAuthentication to no like so:

PasswordAuthentication no

Finally, add the following to the bottom of that file:

AuthenticationMethods publickey,password publickey,keyboard-interactive

Save and close the file.

Restart the SSH daemon with the command:

sudo systemctl restart sshd

Logging in

You are ready to log in. From one of your client machines, open a terminal window and issue the command:

ssh USER@FEDORA_IP

Where USER is the username on the Fedora machine and FEDORA_IP is the IP address of the Fedora machine. You should be prompted for a Verification code (Figure A), which you will retrieve from your mobile authentication app.

Once you enter the code, you should receive access to the machine (because you set up SSH key authentication).

Congratulations, you now have two-factor authentication set up for your Fedora machine. Anytime someone attempts to log into that server or desktop using SSH they won’t be given access without a two-factor authentication code generated by your mobile authentication app.