2.1 KiB
Setting-Up Google Authenticator for SSH 2FA
Securing remote access to a FreeBSD server is crucial, and enabling two-factor authentication (2FA) for SSH is an excellent way to add an extra layer of security. Google Authenticator is a popular choice for implementing Time-based One-Time Passwords (TOTP) for 2FA.
1. Install Google Authenticator PAM Module
Google Authenticator requires the pam_google_authenticator module to generate and validate OTPs. Install it using the FreeBSD package manager.
pkg install pam_google_authenticator
2. Configure Google Authenticator for Your User
Each user who will use 2FA needs to configure Google Authenticator individually. Log in as the user and run:
google-authenticator
You will be prompted with several questions. Answer as follows:
- Do you want authentication tokens to be time-based? Enter y.
- A QR code will be displayed. Scan it using the Google Authenticator app on your phone.
- Save the provided emergency backup codes in a secure location.
- Do you want me to update your .google_authenticator file? Enter y.
- Do you want to disallow multiple uses of the same token? Enter y.
- Do you want to increase the time window? Enter n unless you experience frequent login failures due to time sync issues.
- Do you want to enable rate-limiting? Enter y to limit login attempts.
- This process generates a .google_authenticator file in the user’s home directory.
3. Configure SSH to Use Google Authenticator
Modify the SSH PAM configuration file to enable Google Authenticator. Open the file:
nano /etc/pam.d/sshd
Add the following line at the top:
auth required /usr/local/lib/pam_google_authenticator.so
Save and exit.
Next, modify the SSH daemon configuration file:
nano /etc/ssh/sshd_config
Locate and modify (or add) the following lines:
ChallengeResponseAuthentication yes
UsePAM yes
Optionally, ensure that PasswordAuthentication is enabled to allow password+OTP authentication:
PasswordAuthentication yes
Save the file and restart the SSH service:
sudo service sshd restart