Securing SSH with Google Authenticator (TOTP) is easy to do and adds security to your server quickly.
Ill outline how to do it below:
Install Google Authenticator
To begin we need to install the Google Authenticator PAM module, to install it on ubuntu use the code below:
sudo apt-get install libpam-google-authenticator (This will only install the PAM module we will need to activate it manually later on)
Create an Authentication Key
Login as the user you want to be securing and run:
google-authenticator
It will then ask you some questions on how you would like it to behave.
Once done it will present you with a secret key and some "emergency scratch codes", write these codes down as they are one use codes which are just incase you loose your phone.
Enter the security key in the Google Authenticator app on either your Android, Apple or Blackberry device. You need to do this for every user you intend on using with SSH.
Activate Google Authenticator
First off run the following:
sudo nano /etc/pam.d/sshd
Then add the following line to the end of the file:
auth required pam_google_authenticator.so
Next open:
sudo nano /etc/ssh/sshd_config
and then find the ChallengeResponseAuthentication line and change as follows:
ChallengeResponseAuthentication yes
Finally restart the SSH server:
sudo service ssh restart
That's it... easy eh?
About the author
Aaron Sadler
Aaron Sadler, Umbraco MVP (2x), Umbraco Certified Master Developer and DevOps Engineer