Introduction
Normally, we only need to enter a password or use an SSH key to log in to our server remotely. In Two-Factor authentication, users need to pass two authentication layers to access an account. 2FA is a time-based, one-time password to log in to the server. This one-time password is computed using the TOTP algorithm.
This article will explain how to add Public key Two-factor authentication with OpenSUSE.
Prerequisites
- A root or non-root user with
sudo
privileges. - A smartphone running Android or Apple iOS with the OATH-TOTP app installed.
Install Google’s PAM Package
Pluggable Authentication Module(PAM), is a mechanism that provides multi-factor authentication on the Linux platform.
-
Install the Google Authenticator(PAM) for multi-factor authentication, using the below command.
# sudo zypper -y install google-authenticator-libpam
- Then run the following command to initialize PAM and create a secret key in the home directory.
# google-authenticator
- In the next step, scan the QR code with the Google Authenticator app. If you don’t want to scan the QR code, you can enter the secret key on the Google Authenticator app on your phone. Once it’s added, you’ll see a six-digit code that changes every 30 seconds in your app.
Configure SSH to Use Google Authenticator
- Need to configure SSH to use Google Authenticator open
/etc/pam.d/sshd
file.# sudo nano /etc/pam.d/sshd
- To enable 2FA in SSH, do the following changes as shown in the below snippet.
a) Include a two-factor authentication configuration.
b) Comment out standard Unix authentication.# two-factor authentication via Google Authenticator
auth required pam_google_authenticator.so
# auth include common-auth - Add the below lines to the
/etc/ssh/sshd_config
file.ChallengeResponseAuthentication yes
-
Add the below code in the
/etc/ssh/sshd_config
file to enable the public-key authentication and challenge-response authentication.PermitRootLogin yes
AuthenticationMethods publickey,keyboard-interactive - Save and close the file. Then restart the SSH daemon for the change to take effect.
# sudo systemctl restart sshd.service
- Your SSH server is now configured with multi-factor authentication. On the remote system, open a terminal and log in to the server via SSH You will be asked to provide your system password and Verification code generated by Google Authenticator.