Any machine that allows SSH login would benefit from the addition of two-factor authentication.
Whether you use Fedora Linux for a desktop or server, you should consider enabling two-factor authentication for Secure Shell (SSH) login. Why? Because SSH is the primary means of remotely logging into a server, and the last thing you want is to leave that service open for attacks.
One way to better lock that down is by enabling two-factor authentication for SSH. I want to walk you through the steps of doing just that, so you can enjoy more security with your Fedora desktops and servers.
What you need
To make this work, you need the following:
- An instance of Fedora up and running.
- A user account with sudo access.
- A third-party authenticator app (such as Authy) on your mobile device.
Let’s make this work.
A word of warning
Before you get into this, I highly recommend this set up is done when you have physical access to the Fedora machine in question. Should something go awry, you want to be able to log into the machine directly, so you can troubleshoot the issue.
The first step is to install the Google Authenticator. Open a terminal window and issue the following command:
sudo dnf install google-authenticator nano -y
Once that installation completes, run the tool with the command:
You will be asked the following questions (answer yes to each):
Do you want authentication tokens to be time-based (y/n) y Do you want me to update your "/home/user/.google_authenticator" file (y/n)? y
The app will then display a QR code, which you will need to scan into Authy (on your mobile device). You will also be provided with a list of secret codes, which you will need to copy and save in a secret, secure location. Once you successfully scan the QR code and save the recovery codes, you’ll be asked three more questions (again, answer yes to each).
Before you do this, make sure that you can SSH into the Fedora machine. Out of the box, the SSH daemon might not be running, so start and enable it with the following commands:
sudo systemctl start sshd sudo systemctl enable sshd
Once SSH is running and enabled, make sure to copy your SSH key to this machine (for SSH key authentication), from any/all machine(s) you plan on using to gain remote access. This can be done by running the following command from each machine that will need access:
ssh-copy-id [email protected]_IP
Where USER is the username on the Fedora machine and FEDORA_IP is the IP address of your Fedora machine.
Once you are able to SSH into the Fedora machine using SSH key authentication, it’s time to configure SSH to use two-factor authentication. From the terminal window (on the Fedora machine), issue the command:
sudo nano /etc/pam.d/sshd
Comment out the first line (by adding a # symbole at the beginning). That line will now look like:
#auth substack password-auth
At the bottom of the file, add the following line:
auth sufficient pam_google_authenticator.so
Save and close that file.
Next, we need to configure the SSH daemon. Issue the command:
sudo nano /etc/ssh/sshd_config
First, change the ChallengeResponseAuthentication from no to yes like so:
Next, change PasswordAuthentication to no like so:
Finally, add the following to the bottom of that file:
AuthenticationMethods publickey,password publickey,keyboard-interactive
Save and close the file.
Restart the SSH daemon with the command:
sudo systemctl restart sshd
You are ready to log in. From one of your client machines, open a terminal window and issue the command:
ssh [email protected]_IP
Where USER is the username on the Fedora machine and FEDORA_IP is the IP address of the Fedora machine. You should be prompted for a Verification code (Figure A), which you will retrieve from your mobile authentication app.
Once you enter the code, you should receive access to the machine (because you set up SSH key authentication).
Congratulations, you now have two-factor authentication set up for your Fedora machine. Anytime someone attempts to log into that server or desktop using SSH they won’t be given access without a two-factor authentication code generated by your mobile authentication app.