Skip to main content

Public key Two-factor authentication with OpenSUSE

  • Updated

Introduction

Normally, we only need to enter a password or use an SSH key to log in to our server remotely. In Two-factor authentication, users need to pass two authentication layers to access an account. 2FA is a time-based, one-time password to log in to the server. This one-time password is computed using the TOTP algorithm.

This article will explain how to add Public key Two-factor authentication with OpenSUSE.

Prerequisites

  • A root or non-root user with sudo privileges.
  • A smartphone running Android or Apple iOS with the OATH-TOTP app installed.

Install Google’s PAM Package

Pluggable Authentication Module(PAM), is a mechanism that provides multi-factor authentication on the Linux platform.

  1. Install the Google Authenticator(PAM) for multi-factor authentication, using the below command. 
    # sudo zypper -y install google-authenticator-libpam
  2. Then run the following command to initialize PAM and create a secret key in the home directory. 
    # google-authenticator
    google_auth.PNG
  3. In the next step, scan the QR code with the Google Authenticator app. If you don’t want to scan the QR code, you can enter the secret key on the Google Authenticator app on your phone. Once it’s added, you’ll see a six-digit code that changes every 30 seconds in your app.

Configure SSH to Use Google Authenticator

  1. Need to configure SSH to use Google Authenticator open /etc/pam.d/sshd file. 
    # sudo nano /etc/pam.d/sshd
  2. To enable 2FA in SSH, do the following changes as shown in the below snippet.
    a) Include a two-factor authentication configuration.
    b) Comment out standard Unix authentication. 
    # two-factor authentication via Google Authenticator
    auth required pam_google_authenticator.so
    # auth include common-auth
    comment-common-auth.PNG
  3. Add the below lines to the /etc/ssh/sshd_configfile. 
    ChallengeResponseAuthentication yes
    change-to-yes.PNG
  4. Add the below code in the /etc/ssh/sshd_configfile to enable the public-key authentication and challenge-response authentication. 
    PermitRootLogin yes
    AuthenticationMethods publickey,keyboard-interactive
    auth-method-opensuse.PNG
  5. Save and close the file. Then restart the SSH daemon for the change to take effect. 
    # sudo systemctl restart sshd.service
  6. Your SSH server is now configured with multi-factor authentication. On the remote system, open a terminal and log in to the server via SSH You will be asked to provide your system password and Verification code generated by Google Authenticator.
    opensuse-verify.PNG