How To Install Authy And Configure Two-Factor Authentication For SSH On Ubuntu 24.04

In today’s digital landscape, securing your server is more crucial than ever. One of the most effective ways to enhance your security is by implementing Two-Factor Authentication (2FA). In this guide, we will walk you through the steps to install Authy and configure Two-Factor Authentication for SSH on Ubuntu 24.04.

What is Two-Factor Authentication?

Two-Factor Authentication adds an additional layer of security to your login process. In addition to your username and password, you will need to provide a second factor, typically a time-based one-time password (TOTP) generated by an authentication app like Authy. This means that even if someone obtains your password, they would still require access to your second factor to log in.

Prerequisites

Before we begin, ensure you have:

1. An Ubuntu 24.04 server.
2. Root or sudo access to the server.
3. Authy installed on your mobile device (available for iOS and Android).

Step 1: Update Your System

First, it’s essential to make sure your system is up to date. Open your terminal and run:

sudo apt update && sudo apt upgrade -y

Step 2: Install libpam-google-authenticator

To enable Two-Factor Authentication, we will use the libpam-google-authenticator package, which provides the necessary PAM (Pluggable Authentication Module) integration.

Install it by running:

sudo apt install libpam-google-authenticator

Step 3: Configure Google Authenticator for Your User

Next, you’ll need to set up Google Authenticator for your user account. Run the following command:

google-authenticator

You will be prompted with several questions:

1. Do you want authentication tokens to be time-based? (Yes)
2. Do you want me to update your “~/.google_authenticator” file? (Yes)
3. Do you want to disallow multiple uses of the same token? (Yes)
4. Do you want to enable rate limiting? (Yes)

After answering these questions, you will receive a QR code and a set of emergency scratch codes. Scan the QR code with your Authy app and store the scratch codes in a safe place.

Step 4: Configure SSH to Use PAM

Now, we need to configure SSH to use PAM to authenticate users with the Google Authenticator module. Open the SSH configuration file using your favorite text editor. For example:

sudo nano /etc/ssh/sshd_config

Look for the line that starts with ChallengeResponseAuthentication and set it to yes:

ChallengeResponseAuthentication yes

Next, ensure that UsePAM is set to yes as well:

UsePAM yes

Save and exit the file (in Nano, press CTRL + X, then Y, and Enter).

Step 5: Update the PAM Configuration for SSH

Now, we need to update the PAM configuration to include the Google Authenticator module. Open the PAM SSH configuration file:

sudo nano /etc/pam.d/sshd

Add the following line at the top of the file:

auth required pam_google_authenticator.so

Save and exit the file.

Step 6: Restart the SSH Service

After making these changes, restart the SSH service to apply them:

sudo systemctl restart ssh

Step 7: Test Your Configuration

Now, it’s time to test your Two-Factor Authentication setup. Open a new terminal and try to SSH into your server:

ssh username@your_server_ip

After entering your password, you should be prompted for a verification code from your Authy app. Enter the code, and if everything is set up correctly, you should be granted access.

Conclusion

Congratulations! You have successfully installed Authy and configured Two-Factor Authentication for SSH on your Ubuntu 24.04 server. This additional layer of security significantly reduces the risk of unauthorized access to your server.

Remember to keep your Authy app updated and back up your emergency scratch codes in a safe place. By taking these steps, you’re helping to ensure that your server remains secure in an increasingly vulnerable digital world.

If you have any questions or need further assistance, feel free to reach out to our support team at Greenhost.cloud.

Happy securing!