Short tutorial how to enable 2FA/OTP (ex. Google Authenticator) when logging in via SSH or in my case mainly ThinLinc Terminal Sessions.
If you haven’t set up NTP or some other time sync now is the “time”, since OTP is dependent on correct clocks.
1. Install google-authenticator
sudo apt install libpam-google-authenticator2. Configure sshd
Edit file /etc/ssh/sshd_config
...
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication yes
...3. Configure PAM
Edit the file /etc/pam.d/common-auth and add these two lines at the bottom.
auth required pam_google_authenticator.so secret=/home/${USER}/.ssh/.google_authenticator nullok
auth required pam_permit.so4. Enable OTP for user
Every user needs to run google-authenticator by them self in order to set it up correctly.
First copy the program to users home dir and run it.
google-authenticator -s $HOME/.ssh/.google_authenticatorThen the user needs their mobile device ready with Google Authenticator or equivalent installed. Output with questions and answers:
Do you want authentication tokens to be time-based (y/n) y
...
Enter code from app (-1 to skip): <ENTER CODE FROM APP>
Code confirmed
Your emergency scratch codes are:
...
Do you want me to update your "/home/<USERNAME>/.ssh/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) n
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y5. Restart the ssh server daemon
sudo systemctl restart sshdDone. Know when logging in you will be asked for your username, password and also OTP code. This applies to SSH connections and therefore also ThinLinc sessions.