Multi-Factor Authentication (MFA) over ssh

Securing your internet-facing systems and data is of utmost importance. One critical aspect is ensuring secure access to your servers and protecting them from unauthorised access. Multi-Factor Authentication (MFA) adds an additional layer of security by requiring users to provide two or more pieces of evidence to authenticate themselves. In this tutorial, we will explore how to set up MFA for SSH using FreeOTP, an open-source OTP (One-Time Password) authenticator app.

Prerequisites

Before we begin, make sure you have the following:

1. A Linux server (Ubuntu, CentOS, or any other distribution)
2. Administrative access to the server
3. A smartphone (iOS or Android) to install the FreeOTP app

Step 1: Installing FreeOTP

1. On your smartphone, open the respective app store (Google Play Store or Apple App Store).
2. Search for "FreeOTP" and install the app.
3. Once installed, open the FreeOTP app.

Step 2: Configuring SSH for MFA

1. Connect to your server using SSH with administrative privileges.
2. Open the SSH configuration file using a text editor (e.g., nano or vi).
   
   •  sudo vi /etc/ssh/sshd_config


3. Look for the ChallengeResponseAuthentication line and set it to "yes" if not already enabled.
4. Add the following line to enable the use of Google Authenticator-compatible TOTP (Time-based One-Time Password) authentication:
   

   AuthenticationMethods publickey,password publickey,keyboard-interactive
   

5.  Save and exit the SSH configuration file.

Step 3: Configuring the User for MFA

1. In the SSH configuration file, find the Match User or AllowUsers section for the user you want to enable MFA for.
2. Add the following line below the user entry:
   

   AuthenticationMethods publickey,password publickey,keyboard-interactive

3. Save and exit the SSH configuration file.

Step 4: Restarting the SSH Service

1. Restart the SSH service to apply the changes.
   • sudo systemctl restart sshd

Step 5: Enabling MFA for the User

1. On your server, generate a secret key for the user using the following command:
   

   google-authenticator

2. You will be presented with a series of prompts. Answer "y" for each of them to configure MFA.
3. Scan the displayed QR code using the FreeOTP app on your smartphone.
4. FreeOTP will add your server as a new account and start generating one-time passwords.
5. Complete the setup process by following the on-screen instructions.

Step 6: Testing the MFA Setup

1. Attempt to SSH into your server using the user account that has MFA enabled.
2. After entering the username and password, you will be prompted for the verification code.
3. Open the FreeOTP app on your smartphone and find the account associated with your server.
4. Enter the current one-time password generated by FreeOTP.
5. If the authentication is successful, you will gain access to your server.

By implementing MFA for SSH using FreeOTP, you have taken a significant step towards bolstering the security of your server. MFA provides an additional layer of protection against unauthorised access and greatly reduces the risk of compromised user credentials. Remember to enforce strong passwords and regularly update your system to maintain a robust security.

In future tutorials (when I get the time) I will show how to further harden your system with fail2ban and geoblocking.