Need 2FA for your SSH logon? This is how.
I wanted to have a secure entry to my home lab, key seemed about right, but why not extra layer with 2FA? Google Authenticator is cool, but push notification is even cooler. I went for Duo Security which allows up to 10 clients without any fee.
I went for Alpine to be my gatekeeper, but I will not be covering distro install here, it’s in docs.
Install all required dependencies:
apk --update add openssh-server-pam build-base automake autoconf libtool git linux-pam-dev openssl-dev wget
Install Duo module:
tar -zxf duo_unix-latest.tar.gz
cd whatever dir it created
./configure --with-pam --prefix=/usr && make && make install
Below are required and recommended options:
If you plan to ssh with root user (I’d recommend you don’t) you need to set PermitRootLogin yes WITHOUT any restrictions. I highly advise you create another user and prohibit root login. Whatever user you use add key to authorized_keys.
Add a line in /etc/pam.d/sshd to enable Duo PAM module (note the path if got different):
auth required /lib64/security/pam_duo.so
Now add your application API info to /etc/duo/pam_duo.conf and restart SSHD service. On next logon you should receive enrollment link (if you have never used Duo) and then welcoming screen:
Using username “user”.
Authenticating with public key “user” from agent
Further authentication required
Using keyboard-interactive authentication.
Duo two-factor login for user
Enter a passcode or select one of the following options:
- Duo Push to +XX XXX XXX XXX
- SMS passcodes to +XX XXX XXX XXX
Passcode or option (1-2):
Let me know if you faced any issues installing Duo on your Linux machine.