In this blog post, we'll walk through the process of securing your SSH access with a combination of public key authentication and Time-Based One-Time Passwords (TOTP) using Google Authenticator. This method adds an extra layer of security to your SSH access, ensuring that only authorized users with the correct private key and a valid TOTP can log in.
Prerequisites
Before we begin, make sure you have:
- A Windows/Linux machine (or any client) to generate the SSH keys.
- Access to a Linux server where you want to secure SSH access.
- Authenticator Apps like Google/Microsoft/2FA installed on your mobile device.
Step 1: Generate SSH Key Pair on Windows/Linux
Start by generating a new SSH key pair on your Windows machine. Open PowerShell or Git Bash and run the following command:
ssh-keygen -t ed25519 -C "your-email@example.com"
When prompted for the file location, specify the path where you want to save the key. For example in windows:
C:\Users\YourUsername\Dropbox\SSH-KEY\id_ed25519
This will generate two files:
- id_ed25519 (private key)
- id_ed25519.pub (public key)
Step 2: Copy Public Key to the Linux Server
Next, you'll need to copy the public key to your Linux server. You can use the following command from your Windows machine:
type "C:\Users\YourUsername\Dropbox\SSH-KEY\id_ed25519.pub" | ssh username@192.168.1.100 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
Replace username with your Linux server’s username and 192.168.1.100 with the server's IP address.
This command does the following:
Creates the .ssh directory on the server if it doesn't already exist.
Adds your public key to the authorized_keys file, allowing you to authenticate via SSH using your private key.
Step 3: Install Google Authenticator (TOTP) on Linux
On your Linux server, install the Google Authenticator PAM (Pluggable Authentication Module) for Time-Based One-Time Passwords:
sudo apt update
sudo apt install libpam-google-authenticator
After installation, run the following command as the user you intend to SSH into (e.g., username):
google-authenticator
This command will:
- Generate a QR code that you need to scan with the Google Authenticator app on your phone.
- Provide backup codes. Make sure to save these codes in case you lose access to your phone.
The command will create a file called .google_authenticator in the user's home directory, which stores your secret key and other TOTP settings.
Step 4: Configure SSH for Key-Based Authentication and TOTP
Now, you need to configure the SSH server to require both SSH key authentication and TOTP. Start by editing the SSH server configuration:
sudo nano /etc/ssh/sshd_config
Add or modify the following lines:
PasswordAuthentication no
KbdInteractiveAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
- PasswordAuthentication no disables password-based login.
- KbdInteractiveAuthentication yes allows interactive keyboard authentication (in this case, TOTP).
- AuthenticationMethods publickey,keyboard-interactive ensures that both the SSH key and TOTP are required for login.
Step 5: Configure PAM to Use TOTP
Next, you need to configure PAM to use Google Authenticator for SSH authentication. Edit the PAM configuration file for SSH:
sudo nano /etc/pam.d/sshd
Add the following line to the top of the file:
auth required pam_google_authenticator.so
This tells PAM to use the Google Authenticator module for authenticating users.
If you see the line # @include common-auth, comment it out by adding a # at the beginning of the line. This disables fallback to regular password authentication.
Step 6: Restart SSH Service
Once you've updated the configuration files, restart the SSH service to apply the changes:
sudo systemctl restart ssh
Step 7: Test the Configuration
To test the setup, try logging in from your client machine using the following SSH command:
ssh -i "C:\Users\YourUsername\Dropbox\SSH-KEY\id_ed25519" username@192.168.1.100
You will first be asked to authenticate using your SSH key. Once that’s successful, the system will prompt you to enter the TOTP code from your Google Authenticator app.
If both the SSH key and TOTP code are correct, you will be granted access to the server.
