Securing SSH with Two-Factor Authentication: A Linux and Proxmox Guide

As a system administrator, securing SSH access is crucial for protecting my servers. That’s why I’ve implemented two-factor authentication (2FA) on my Linux and Proxmox systems. In this guide, I’ll walk you through the process of securing SSH with 2FA, step by step.

I’ve found that adding this extra layer of security reduces the risk of unauthorized access, even if someone manages to get hold of a password. Whether running a standard Linux distribution or a Proxmox virtualization environment, these steps will help you lock down your SSH connections.

Let’s dive in and strengthen your server’s defenses!

Before securing SSH with two-factor authentication, I always ensure I have everything I need. Here’s what you should check:

1. Access: Ensure you have root or sudo access to your Linux or Proxmox system.
2. SSH: Verify that SSH is installed and running. On most systems, I check this with:

systemctl status ssh

or

systemctl status sshd

Look for “Active: active (running)” in the output. This confirms that SSH is installed and running. SSH may not be installed or running if neither command shows an active service.

3. Package Manager: Make sure your package manager is up-to-date. I run:

apt update

4. Google Authenticator PAM Module: Let’s check if it’s already installed:

dpkg -s libpam-google-authenticator

If you see “package is not installed,” don’t worry. We’ll install it in the next step.

5. Mobile Device: You’ll need a smartphone with a TOTP (Time-based One-Time Password) app. I use Google Authenticator, but Microsoft Authenticator, Authy, or any other TOTP-compatible app will work just as well. Choose whichever you’re most comfortable with.

With these prerequisites, we can start setting up two-factor authentication for SSH. In the next section, I’ll show you how to install the necessary software if it’s not already on your system.

If we discovered in the prerequisites that the Google Authenticator PAM module wasn’t installed, let’s take care of that now. You can skip this step if you’ve already confirmed it’s installed.

To install the module:

sudo apt install libpam-google-authenticator

After the installation is completed, I always verify it was successful:

dpkg -s libpam-google-authenticator | grep Status

This should return “Status: install ok installed” if everything went well.

With the PAM module now installed (or confirmed to be already present), we’re ready to set up 2FA for our user accounts. In the next section, I’ll guide you through configuring it for your first user.

Now that we have installed the Google Authenticator PAM module let’s set it up for a user. I’ll do this for my account, but you can apply these steps to any user on your system. my username is ‘edyadmin’

1. First, I switch to the user account I want to set up 2FA for

su - username

Replace ‘username’ with the actual username.

2. Now, I run the google-authenticator command:

google-authenticator

3. The command will ask several questions. Here’s how I typically respond:
   • “Do you want authentication tokens to be time-based?” I answer ‘y’ for yes.
   • It will then display a QR code and a secret key. I scan this QR code with my smartphone’s authenticator app.
   • “Do you want me to update your “~/.google_authenticator” file?” I answer ‘y’.
   • “Do you want to disallow multiple uses of the same authentication token?” I usually answer ‘y’ for better security.
   • “By default, tokens are good for 30 seconds. Do you want to change this?” I typically answer ‘n’ to keep the default.
   • “If the computer you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting.” I answer ‘y’ to enable this protection.

4. After answering these questions, the setup is complete. I save the emergency scratch codes displayed – they’re crucial if I lose access to my authenticator app.

With these steps, I successfully set up 2FA for my user account. In the next sections, we’ll configure SSH to use this new authentication method.

Now that we’ve set up 2FA for our user, we need to configure PAM (Pluggable Authentication Modules) to use it with SSH. Here’s how I do it:

1. First, I open the PAM configuration file for SSH:

sudo nano /etc/pam.d/sshd

2. At the top of this file, right after the @include common-auth line (if it exists), I add:

@include common-authnauth required pam_google_authenticator.so nullok

What does the ‘nullok’ option.

1. Without ‘nullok’:
   • 2FA is strictly required for all users.
   • Users who haven’t set up 2FA won’t be able to log in at all.
2. With ‘nullok’:
   • 2FA is required only for users who have set it up.
   • Users who haven’t set up 2FA can still log in with their password or SSH key.

4. I save the file and exit the editor (in nano, that’s Ctrl+O, then Enter and Ctrl+X to exit the editor).
5. Next, I open the SSH daemon configuration file.

sudo nano /etc/ssh/sshd_config

6. In this file, I look for the line that says:

PubkeyAuthentication yes
PasswordAuthentication yes
KbdInteractiveAuthentication yes
UsePAM yes
AuthenticationMethods keyboard-interactive,publickey keyboard-interactive

This allows authentication with either a public key + password or a public key + 2FA code.

It’s possible that in your sshd_config file, you have to add the lines.

7. I save this file and exited the editor as well.

After making these changes, we need to restart the SSH service so that they take effect. We’ll do that in the next section and test our new setup.

After configuring PAM and SSH, testing our new 2FA setup is crucial. Here’s how I do it:

1. First, I restart the SSH service to apply our changes

sudo systemctl restart sshd

2. Now, it’s time to test. I open a new terminal window or tab, keeping my current session active as a fallback. I can also use the Windows cmd

ssh username@your_server_ip

I’ll be prompted for my password, and then I’ll be asked for my 2FA (verification code).

For a deeper dive into Proxmox user management, including the intricacies of the root user, check out my related article: What Secrets Lie Behind the Proxmox User Root?

While implementing 2FA significantly enhances your SSH security, there are additional considerations to ensure a robust and manageable setup:

Backing up 2FA Keys:

1. I always securely store the initial QR code or a secret key generated during the 2FA setup.
2. I keep emergency scratch codes in a safe, offline location.
3. I am considering using a secure password manager to store 2FA backup information for critical systems.

Losing access to your authenticator app without backups can lock you out of your server.

Handling Multiple Users:

1. I create clear documentation on the 2FA setup process for all users.
2. I enforce a policy requiring all users to enable 2FA.
3. I use the ‘nullok’ option in PAM configuration initially to allow a phased rollout:

auth required pam_google_authenticator.so nullok

4. Once all users have set up 2FA, I remove ‘nullok’ to enforce 2FA across the board.

By adhering to these practices, I balance robust security and practical usability in my SSH configuration with two-factor authentication.

SSH keys and 2FA significantly reduce your attack surface. To automate brute-force blocking, I compared Fail2ban vs CrowdSec to find the better tool for homelab SSH protection.

Implementing two-factor authentication (2FA) for SSH significantly enhances the security of your Linux systems, including Proxmox nodes. By requiring both something you know (password or SSH key) and something you have (2FA code), you create a robust defense against unauthorized access.

The steps we’ve covered work across various Linux distributions and can be directly applied to Proxmox servers, providing additional protection for your virtualization environment. Remember, the small effort of setting up 2FA pays off immensely in improved security.

I encourage you to implement these measures in all your critical systems. In today’s threat landscape, 2FA is not just a luxury—it’s a necessity for maintaining the integrity and security of your servers.

I’d love to hear from you. Was this article helpful? Share your thoughts in the comments below. If you prefer, you can also reach me by email or connect with me on Reddit at Navigatetech.