I recently installed Ubuntu 24.04 (LTS) and found that the notes for enabling MFA (Multi Factor Authentication) on the Ubuntu website need updating for 24.04 as they don’t currently work. With that in mind I thought a quick blog post was needed to help others and remind me in future of the steps needed.
Prerequisites
I disable password authentication on any devices that I enable SSH on, using just a SSH key for connectivitiy.
Why Implement MFA?
Adding an additional requirement at login increases security. For SSH it’s generally recommended to use a strong SSH key over a password, but if that SSH key became compromised then there is a risk that it could be used maliciously.
Side-Note: When generating an SSH key there are options to encrypt the key with a password. For best security practice I would recommend this is carried out.
Adding MFA to a device running a SSH server would require a valid MFA code each time the SSH key is used with the server. I’m not sure what the chances are of someone ascertaining the details of a strong SSH key and also generating a valid MFA code are but I would think they are pretty low.
Google Authenticator Module
The Google Authenticator Module is a module for the Linux Pluggable Authentication Modules (PAM) system. Although it has Google in the name it is not for logging into Google, doesn’t require a Google account/email and can be used with various smart phone authenticator apps (e.g. not just Android’s Google Authenticator).
To install Google Authenticator Module within Ubuntu:
sudo apt install libpam-google-authenticatorThe authenticator can then be set up using the command:
google-authenticatorI would recommend setting up the authenticator before the next steps. The set up requires that you have an authenticator app on your smartphone and the default replies to the install questions should suffice for most. The setup will show a QR Code that your authenticator app needs to scan.
Key-Point: Make sure to save a copy of your backup codes. If the MFA process goes wrong, or you lose access to your smartphone, then you will need these backup codes.
Configuring Ubuntu To Enable MFA
Two files need amending within Ubuntu to enable MFA during the SSH process. Editing these files requires a text editor (vim, nano, etc) and needs to be done with sudo.
/etc/ssh/sshd_config
During this process you can either search the file for the values, uncomment them and amend them to the new values or just add the new lines into the files.
KbdInteractiveAuthentication yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactiveNote: There is no space between the publickey comma and key-board-interactive.
/etc/pam.d/sshd
Add in the following line just under # PAM configuration for the Secure Shell service
auth required pam_google_authenticator.soSo that the first two lines of the file look like:
# PAM configuration for the Secure Shell service
auth required pam_google_authenticator.soThen edit the Standard Unix Authentication option, from:
# Standard Un*x authentication
@include common-authto:
# Standard Un*x authentication
#@include common-authThis comments out the common-auth and stops the PAM module from trying to take a password as well as the MFA code.
With those changes carried out, the system will need a reboot or the sshd service restarting. After that on your next SSH connection to the system it should ask for your MFA verification code.