Ubuntu server PAM authentication with PrivateKey & Google Authenticator
As I started using
pageant to handle my SSH key management and automate SSH logins I saved a few seconds for each login. So I thought, "Why not spend those saved seconds on an extra layer of security?". The simplest option was the Google Authenticator. Once installed on your phone (Android/iOS) you can create a QR-Code on your server (output in the terminal, pretty cool idea if you ask me) and link it to your phone. Using this setup, anyone who wants to access your server will need the private key's password (if pageant is not running) and your phone. But! he needs the phone at that moment(!) because the code keeps changing every 30 sec (by default).
If you like the Idea, let's get started by installing the PAM authentication module by Google:
apt install libpam-google-authenticator
Then launch the authenticator and walk through the setup:
and scan the resulting QR-Code with your phone.
Now we need to enable this module for PAM:
# Standard Un*x authentication. #@include common-auth # Standard Un*x password updating. @include common-password auth required pam_google_authenticator.so nullok
and for SSH:
ChallengeResponseAuthentication yes UsePAM yes AuthenticationMethods publickey,keyboard-interactive
Optional: If you have GitLab running on the same machine, you will need to set the authentication methods for the 'git' user to 'publickey' like this:
Match User git AuthenticationMethods publickey
Finally restart the SSH service using:
systemctl restart sshd