hosting.com
Knowledge Base
Hosting Panel

Enabling two-factor authentication for SSH

You can use two-factor authentication with SSH to help secure your unmanaged hosting server. Learn how to secure your server in this article.

Suggest Edits

This article describes how to enable and disable two-factor authentication for SSH on an unmanaged server.

📘

Note

You must have root access to the server to follow these procedures.

About two-factor authentication

By default, when users access your unmanaged VPS or dedicated server using SSH, they type a username and password to log in.

Two-factor authentication provides an extra layer of security because, in addition to knowing the correct username and password, users must provide another piece of information. This piece of information is a temporary, numeric password generated independently on the server and on a mobile device, such as a smartphone or tablet.

As a result, in order for a potential attacker to access your server, he or she would not only need to obtain something youknow (your username and password), but also something youhave (your mobile device). This two-factor approach to logins significantly enhances your server's security and makes brute-force attacks much more difficult.

Enabling two-factor authentication for SSH

To enable two-factor authentication with SSH on your server, do the following steps in the order in which they are presented.

Step 1: Disable root logins for SSH

If you haven't done so already, you should disable root SSH logins on your server and create a normal user account. For information about how to do this, please see this article.

Step 2: Install an authenticator app on a mobile device

You use an authenticator app on your smartphone or tablet to generate a one-time password that you use to log in (this is the "second factor" for authentication, in addition to your username and password).

Step 3: Enable two-factor authentication on the server

To enable two-factor authentication on the server, follow these steps:

  1. Log in to your server using SSH.

  2. As the root user, install the Google Authenticator package:

  • For Debian and Ubuntu, type the following command: 
apt-get install libpam-google-authenticator
  • For AlmaLinux and Fedora, type the following command:
yum install google-authenticator

📘

Note

Google develops and maintains the Google Authenticator code, but it does not collect any information from your server.

  1. Stay logged in as the root user, and then in a separate window, log in to your server as a normal (that is, non-root) user.

  2. At the command prompt, type the following command:

google-authenticator

  1. At the Do you want authentication tokens to be time-based? prompt, type y and then press Enter.

  2. The server generates a QR code image and emergency codes. On your mobile device, scan the QR code image and configure the account.

📘

Note

Alternatively, if your device does not support reading QR codes, you can manually enter the alphanumeric secret key.

❗️

Warning

Make sure you store the secret key and emergency codes in a safe place. You must have one of these emergency codes if you ever lose your mobile device, or if it is inaccessible for some reason. Otherwise, you will be unable to access your account.

  1. On the server, at the Do you want me to update your "/home/username/.google_authenticator" file? prompt, type y and then press Enter.

  2. At the Do you want to disallow multiple uses of the same authentication token? prompt, type y and then press Enter.

  3. At the By default, tokens are good for 30 seconds… prompt, type n and then press Enter.

📘

Note

As the full prompt states, if you experience time synchronization problems (that is, you enter a code from your mobile device, but the server rejects it), you can increase the token validity interval from its default length of 90 seconds to around four minutes. The default value should work fine in most cases however, and is more secure.

  1. At the Do you want to enable rate-limiting? prompt, type y and then press Enter.

  2. As the root user, open the /etc/pam.d/sshd file in your preferred text editor.

  • Add the following line to the top of the file: 
auth required pam_google_authenticator.so nullok
  • Save your changes to the sshd file.

📘

Note

The nullok setting enables users that have not configured two-factor authentication yet to still log in using only a username and password. It is a good idea to use this setting when you configure two-factor authentication for the first time. After you configure two-factor authentication for all of your users, you can remove the nullok setting to make two-factor authentication mandatory.

  1. As the root user, open the /etc/ssh/sshd_config file in your preferred text editor.
  • Locate the following line: 
ChallengeResponseAuthentication no
  • Modify the line as follows:
ChallengeResponseAuthentication yes
  • Save your changes to the sshd_config file.
  1. As the root user, restart the SSH service:
  • For Debian and Ubuntu, type the following command: 
service ssh restart
  • For AlmaLinux and Fedora, type the following command:
service sshd restart
  1. While still logged in as the root user, in a separate window log in as the normal user and test the new configuration:

  • At the Verification code prompt, type the numeric password displayed by the authenticator app on your mobile device.

  • At the Password prompt, type the password for the user.

🚧

Important

If authentication fails, verify that you followed the previous steps correctly. Do not log out as the root user until you are sure the new authentication configuration is working correctly.

Disabling two-factor authentication for SSH

If you decide that you no longer want to use two-factor authentication with SSH, you can disable it. To do this, follow these steps:

  1. Log in to your server using SSH.

  2. As the root user, open the /etc/pam.d/sshd file in your preferred text editor.

  • Delete or comment out the following line at the top of the file: 
auth required pam_google_authenticator.so nullok
  • Save your changes to the sshd file.
  1. Open the /etc/ssh/sshd_config file in your preferred text editor.
  • Locate the following line: 
ChallengeResponseAuthentication yes
  • Modify the line as follows:
ChallengeResponseAuthentication no
  • Save your changes to the sshd_config file.
  1. Restart the SSH service:
  • For Debian and Ubuntu, type the following command: 
service ssh restart
  • For AlmaLinux and Fedora, type the following command:
service sshd restart

Two-factor authentication is now disabled for SSH.

Related Articles

Updated 1 day ago