How to Set Up 2FA on Linux for Enhanced Security

Dec 10, 2024 · GNU/Linux, 2FA, Security

Introduction

Actually, Just past of the day, via my school, I knew there is a way to setup 2FA, then i started to learn how to set up. And now, i world like to share with you guys.

Prerequisites

Before you begin, make sure you have the following:

• A GNU/Linux server: This guide will use Ubuntu as an example, but the steps should apply to most distributions.
• A 2FA app: Popular options include Google Authenticator, Authenticator, or Authy.
• Basic knowledge of Linux commands is assumed.
• Do not use the root account for this setup. Using the root account might cause login issues after enabling 2FA.

Step 1: Install the 2FA Package

To begin, you need to install the libpam-google-authenticator package on your server, which will enable 2FA functionality.

Run the following command to install it:

sudo apt update
sudo apt install libpam-google-authenticator

Step 2: Configure the 2FA Package

Next, configure the Google Authenticator package by running:

google-authenticator

The system will prompt you with a few questions. You can generally respond with ‘yes’ to each one.

Once completed, you’ll see a QR code and a secret key.

Step 3: Scan the QR Code or Enter the Secret Key

Now, open your 2FA app (Google Authenticator, Authy, etc.), and either:

• Scan the QR code displayed on the terminal, or
• Manually enter the secret key if you can’t scan it.

Your app will start generating time-based 6-digit codes.

Tip: If you’re using a different 2FA app, the process will be the same. Just make sure to enter the secret key manually if scanning the QR code isn’t an option.

Step 4: Configure SSH for 2FA

Next, you need to configure SSH to use 2FA. Edit the SSH daemon’s configuration file:

sudo vim /etc/ssh/sshd_config

Make sure these two lines are present (or add them if they aren’t):

KbdInteractiveAuthentication yes
ChallengeResponseAuthentication yes

These settings will enable keyboard-interactive authentication (which includes 2FA).

After saving the changes, close the file.

Step 5: Restart SSH Service

To apply the changes, restart the SSH service:

sudo systemctl restart ssh

Step 6: Configure PAM for 2FA

PAM (Pluggable Authentication Modules) must also be configured to use Google Authenticator. Edit the PAM configuration for SSH:

sudo vim /etc/pam.d/sshd

Add the following line to the file:

auth required pam_google_authenticator.so

Where you place this line in the file matters:

• Above the line containing @include common-auth: This will ask for your password first, followed by the 2FA code.
• Below @include common-auth: This will ask for the 2FA code first, followed by the password.

Choose the sequence you prefer, save the file, and exit.

Step 7: Restart SSH Again

To ensure all changes take effect, restart the SSH service one more time:

sudo systemctl restart ssh

Step 8: Test 2FA

It’s time to test the 2FA setup. Try SSHing into your server:

ssh your-username@your-server-ip -v

You should first be prompted for your password, and then for the 2FA verification code generated by your app. Example:

$ ssh user@your-server
Password:
Verification code:

If both the password and 2FA code are correct, you will be logged in.

And that’s it! You’ve successfully set up 2FA on your GNU/Linux server.