Skip to content

Ubuntu SSH + TOTP

In order to protect your SSH against hacks, the most basic you can do is to change the port, but that is never enough. We know the basics to be disable root logins, change port, enable pubkey authentication, IP based blocking and so on. However, one shoe never fits all. If you keep changing computers, it is very difficult to setup pubkey authentication on all computers, specially if you are not using your personal computer to login.

That is where the TOTP comes in. You still have to carry around a mobile phone, but I think we all do now a days.

Install

Install google authenticator

1
sudo apt install libpam-google-authenticator

Enable

and enable it for SSH:

1
sudo nano /etc/pam.d/sshd

Append to the bottom: 

1
2
...
auth required pam_google_authenticator.so

And edit the ssh config file:

1
sudo nano /etc/ssh/sshd_config

to enable it in SSH config as well as change the SSH port

1
2
3
4
5
6
7
8
...
Port 15491 # change this to something random, preferably 5 digits
...
...
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes # CHANGE THIS TO YES
...

Setup TOTP for user

Now prepare your phone with your favorite TOTP app, like google authenticator and run this command in shell:

1
google-authenticator

And answer as following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
Make tokens “time-base”": **yes
**
## SCAN THE QR CODE AT THIS STEP AND SAVE THE OFFLINE KEYS ##
Update the .google_authenticator file: **yes
**
Disallow multiple uses: **yes
**
Increase the original generation time limit: **no
**
Enable rate-limiting: **yes**

And then just restart ssh for the changes to take effect.

1
sudo systemctl restart sshd

Now use terminal on linux/mac or putty on windows to login. Do note that BitviseSSH does not work properly with this for some reason...