A TL;DR for setting up MFA on Ubuntu servers for SSH access because it took more than one guide to setup.

  1. Login to box

  2. sudo apt install libpam-google-authenticator

  3. sudo nano /etc/pam.d/sshd

  4. Scroll to bottom and add this under @include common-password

    auth required pam_google_authenticator.so

  5. Ctrl + S, Ctrl + X

  6. sudo nano /etc/ssh/sshd_config

  7. Set ChallengeResponseAuthentication to yes. This may be KbdInteractiveAuthentication in newer versions

  8. Ctrl + S, Ctrl + X

  9. sudo systemctl restart sshd.service

  10. google-authenticator

  11. y to time based tokens

  12. Scan the QR on your auth app

  13. Save the backup scratch codes

  14. y to update authenticator file

  15. y to disallow multiple uses of tokens

  16. n to increase validity window

  17. y to rate limiting

  18. In a new session, attempt to log in and confirm setup has been completed correctly

Supporting key based login for MFA Link to heading

Do this otherwise it’ll bypass MFA

  1. In /etc/pam.d/sshd
  2. Comment out @include common-auth
  3. In /etc/ssh/sshd_config
  4. Add this line AuthenticationMethods publickey,keyboard-interactive
  5. sudo systemctl restart sshd.service
  6. In a new session, attempt to log in and confirm setup has been completed correctly