A TL;DR for setting up MFA on Ubuntu servers for SSH access because it took more than one guide to setup.
-
Login to box
-
sudo apt install libpam-google-authenticator
-
sudo nano /etc/pam.d/sshd
-
Scroll to bottom and add this under
@include common-password
auth required pam_google_authenticator.so
-
Ctrl + S, Ctrl + X
-
sudo nano /etc/ssh/sshd_config
-
Set
ChallengeResponseAuthentication
toyes
. This may beKbdInteractiveAuthentication
in newer versions -
Ctrl + S, Ctrl + X
-
sudo systemctl restart sshd.service
-
google-authenticator
-
y
to time based tokens -
Scan the QR on your auth app
-
Save the backup scratch codes
-
y
to update authenticator file -
y
to disallow multiple uses of tokens -
n
to increase validity window -
y
to rate limiting -
In a new session, attempt to log in and confirm setup has been completed correctly
Supporting key based login for MFA Link to heading
Do this otherwise it’ll bypass MFA
- In
/etc/pam.d/sshd
- Comment out
@include common-auth
- In
/etc/ssh/sshd_config
- Add this line
AuthenticationMethods publickey,keyboard-interactive
sudo systemctl restart sshd.service
- In a new session, attempt to log in and confirm setup has been completed correctly