Sam Debruyn

Cloud Data Solution Architect

Specialized in Microsoft Azure, Fabric & modern data stack. Microsoft Data Platform MVP. Public speaker & meetup organizer. FOSS contributor.

about Sam

open source contributions

public speaking & meetups

blog

Sam Debruyn

Sam Debruyn

Cloud Data Solution Architect

about Sam

open source contributions

public speaking & meetups

blog

Sam Debruyn's blog / Blog posts / Secure SSH access with 2-step authentication (extended)

Secure SSH access with 2-step authentication (extended)

2 minutes
LINUX, SECURITY

In this quick tutorial I’ll show you how to secure SSH access to your Linux server with 2-step authentication. Why did I call this post ’extended’? Because I’ll show you how to add extra rules so you don’t have to use 2-step authentication from certain locations.

I’m not going to explain what 2-step authentication is . You’ll need SSH or CLI access to your Linux device with root rights and a 2-step authentication app on your phone, tablet or PC:

The PAM-module that we need is called libpam-google-authenticator so on Debian/Ubuntu/… you can use the following command to install this:

1sudo apt-get update && sudo apt-get install -y libpam-google-authenticator

Next, run

1google-authenticator

to set this up for your account. Do not use sudo or something like that, use your own account!

Now open the file /etc/pam.d/sshd, you can do this with

1sudo nano /etc/pam.d/sshd

and add the following at the end of the file:

1auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
2auth required pam_google_authenticator.so

Now create the file /etc/security/access-local.conf:

1sudo nano /etc/security/access-local.conf

and add the following:

1+ : ALL : ????
2+ : ALL : LOCAL
3- : ALL : ALL

Replace the ???? with the subnet or the IP that should be allowed to access SSH without the second verification step. You could enter an IP like 192.168.0.5 or a subnet like 192.168.0.0/24.

Now edit the file /etc/ssh/sshd_config:

1sudo nano /etc/ssh/sshd_config

and make sure it says

1ChallengeResponseAuthentication yes

By default it says no.

Now restart the SSH service and you should be good!

1sudo service ssh restart

NTP

Ahtanu has let me know via Twitter that you’d better make sure your device is properly configured as an NTP client. Most desktop Linux distributions have this already in order but here are the instructions for Debian-based distributions to make sure NTP is configured properly.

First, update or install the NTP client.

1sudo apt-get update && sudo apt-get install -y ntp ntp-simple ntpdate

Next, set the timezone and the date on your device:

1sudo tzselect
2sudo date --set 2014-12-31
3sudo date --set 20:20:20

Now edit the file ntp.conf:

1sudo nano /etc/ntp.conf

and make sure it has 2 NTP-servers:

1server 0.be.pool.ntp.org
2server 1.be.pool.ntp.org
3server 2.be.pool.ntp.org
4server 3.be.pool.ntp.org

Eventually restart the NTP service:

1sudo service ntpd restart

You might also like

If you liked this article, follow me on LinkedIn, Bluesky, or other social media to stay up-to-date with my latest posts. You might also like the following 2 posts about related topics:

Wake up your computer(s) with a simple email using a Raspberry Pi
4 minutes

Introduction I have a Spotify Premium subscription but I also have a few CDs which are not available on streaming services. I don’t like the whole process of syncing files, that’s why I took a Spotify subscription in the first place. Google offers a solution with Play Music : you can upload up to 20,000 songs to their servers for free and stream them to all of your devices.

Read more