For a very secure and convenient way to add two-factor ssh auth to your Linux server, you can use Google Authenticator. I’ll show you how to set this up!
1. In Ubuntu 13.04:
$ sudo apt-get install libpam-google-authenticator
2. Then, from an open bash shell with your user account on that server run the following:
Scan the bar code with your Android phone or iPhone to add the key. (Or alternatively, open the URL provided on your phone to add the key.)
Note: save the emergency scratch codes in case you need to access the server without your phone!
I suggest answering the following to the questions that follow:
Do you want me to update your "~/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
3. Next, add this to the bottom of /etc/pam.d/sshd
auth required pam_google_authenticator.so
4. Next, make sure this is set to yes in /etc/ssh/sshd_config
5. Restart ssh:
$ sudo /etc/init.d/ssh restart
Now you can login with two-factor auth (password and google authenticator)
stmiller@brahms:~$ ssh firstname.lastname@example.org Password: Verification code: Welcome to Ubuntu 13.04 (GNU/Linux 3.8.0-19-generic x86_64) * Documentation: https://help.ubuntu.com/ Last login: Sun Jun 2 13:20:22 2013 from 172.16.1.202 stmiller@ubuntu1304:~$