Linux - Ubuntu - SSH - Set up Multi Factor Authentication for SSH.txt
# Install the required PAM (Pluggable Authentication Module) module
apt update && apt install libpam-google-authenticator
# Run the initialization app. This key is generated on a user-by-user basis.
google-authenticator
# Update SSHD PAM configuration
vi /etc/pam.d/sshd
# Add the following line to the end of the file
auth required pam_google_authenticator.so nullok
# The nullok word at the end of the last line tells the PAM that this
# authentication method is optional. This allows users without a
# OATH-TOTP token to still log in using their SSH key. Once all users
# have an OATH-TOTP token, you can remove nullok from this line to make MFA
# mandatory.
# Configure SSH to support this kind of authentication
vi /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
service ssh restart
# --------------------------------------------------
# Until here, the token is requested ONLY when using a password,
# as the public key overrides any form of authentication
# --------------------------------------------------
# Reopen the SSH configuration file
vi /etc/ssh/sshd_config
# Add the following line to the bottom of the file
# This line tells SSH we need a SSH key and either a password or a verification code
AuthenticationMethods publickey,password publickey,keyboard-interactive
# Reopen SSHD PAM configuration file
vi /etc/pam.d/sshd
# Find the line @include common-auth and comment it out by adding a # character
# as the first character on the line. This tells PAM not to prompt for a password.
# This step may be (?) optional if you need to support passwords (needs verification).
#@include common-auth
# Restart SSH
service ssh restart
# You can now log in over SSH with a SSH key and a one-time password