Secure SSH access with 2-step authentication (extended)
In this quick tutorial I’ll show you how to secure SSH access to your Linux server with 2-step authentication. Why did I call this post ’extended’? Because I’ll show you how to add extra rules so you don’t have to use 2-step authentication from certain locations.
I’m not going to explain what 2-step authentication is . You’ll need SSH or CLI access to your Linux device with root rights and a 2-step authentication app on your phone, tablet or PC:
The PAM-module that we need is called libpam-google-authenticator so on Debian/Ubuntu/… you can use the following command to install this:
1sudo apt-get update && sudo apt-get install -y libpam-google-authenticator
to set this up for your account. Do not use sudo or something like that, use your own account!
Now open the file /etc/pam.d/sshd, you can do this with
1sudo nano /etc/pam.d/sshd
and add the following at the end of the file:
1auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf 2auth required pam_google_authenticator.so
Now create the file /etc/security/access-local.conf:
1sudo nano /etc/security/access-local.conf
and add the following:
1+ : ALL : ???? 2+ : ALL : LOCAL 3- : ALL : ALL
Replace the ???? with the subnet or the IP that should be allowed to access SSH without the second verification step. You could enter an IP like 192.168.0.5 or a subnet like 192.168.0.0/24.
Now edit the file /etc/ssh/sshd_config:
1sudo nano /etc/ssh/sshd_config
and make sure it says
By default it says no.
Now restart the SSH service and you should be good!
1sudo service ssh restart
Ahtanu has let me know via Twitter that you’d better make sure your device is properly configured as an NTP client. Most desktop Linux distributions have this already in order but here are the instructions for Debian-based distributions to make sure NTP is configured properly.
First, update or install the NTP client.
1sudo apt-get update && sudo apt-get install -y ntp ntp-simple ntpdate
Next, set the timezone and the date on your device:
1sudo tzselect 2sudo date --set 2014-12-31 3sudo date --set 20:20:20
Now edit the file ntp.conf:
1sudo nano /etc/ntp.conf
and make sure it has 2 NTP-servers:
1server 0.be.pool.ntp.org 2server 1.be.pool.ntp.org 3server 2.be.pool.ntp.org 4server 3.be.pool.ntp.org
Eventually restart the NTP service:
1sudo service ntpd restart
You might also like
Wake up your computer(s) with a simple email using a Raspberry Pi
Introduction I have a Spotify Premium subscription but I also have a few CDs which are not available on streaming services. I don’t like the whole process of syncing files, that’s why I took a Spotify subscription in the first place. Google offers a solution with Play Music : you can upload up to 20,000 songs to their servers for free and stream them to all of your devices.