Differences

This shows you the differences between two versions of the page.

--- howto:sshkey_google2fa [2025/05/12 21:09] – [ssh-keygen] justip6
+++ howto:sshkey_google2fa [2025/05/12 21:09] (current) – removed justip6
@@ Line 1: / Line 1: @@
-====== How to Setup Passwordless SSH-key or Google 2FA NOT BOTH======
-Below shows two options in securing SSH using Port 22 on Linux machines to enhance security along with ZotDefend. The reason we want to do this is because Port 22 can be opened to the public, not only on the UCI Network. Thus, anyone can try to attempt access to the machine and try to brute force account passwords.
-===== Setting up Passwordless SSH-key =====
-==== ssh-keygen ====
-You use the tool "ssh-keygen" to create your public-private key pair.  Depending on what you need to do, there are many options available.
-<code bash>
-[user@host ~]$ ssh-keygen -t ed25519 -C "Add a Description to easily tell which machine this belongs to"
-Generating public/private key pair.
-Enter file in which to save the key (/home/user/.ssh/id_ed25519): [Enter to leave default]
-Enter passphrase (empty for no passphrase): [Enter to leave empty]
-Enter same passphrase: [Enter to leave empty]
-</code>
-You should leave the default values above by simply hitting Enter three times.  The private key is created in id_ed25519 and the matching public key is id_ed25519.pub. The id_ed25519 file name is what ssh will look for when attempting public-key authentication (unless specified differently in the /etc/ssh/ssh_config in the IdentityFile variable.
-==== Distributing your public key ====
-The *.pub file needs to be appended to the ~/.ssh/authorized_keys file to be recognized by ssh.  This should be done on any remote hosts you wish to connect to using public-key authorization.  Be sure each key starts on its own new line, since many users may need to connect to the machine and all be able to add their public keys to the authorized_keys file. The code below should do it:
-<code bash>
-[user@localhost ~]$ scp ~/.ssh/id_ed25519.pub user@remotehost:/home/user/.ssh/my_id.pub
-Enter password for user@remotehost:
-[user@localhost ~]$ ssh user@remotehost
-Enter Password
-# That's the last time you'll be entering your password!
-[user@remotehost ~]$ cd .ssh
-[user@remotehost .ssh]$ cat my_id.pub >> authorized_keys
-[user@remotehost .ssh]$ rm my_id.pub
-</code>
-==== Setting correct permissions ====
-On both local and remote hosts, the permissions need to be set as follows if not already set:
-<code bash>
-[user@host ~]$ chmod 700 .ssh
-[user@host ~]$ cd .ssh
-[user@host .ssh]$ chmod 600 *
-[user@host .ssh]$ chmod go+r known_hosts
-</code>
-==== How to: Disable SSH Password Authentication =====
-Disabling Password Authentication is generally as simple as setting the option ''PasswordAuthentication no'' in the /etc/ssh/sshd_config file and then restarting the sshd service.
-However, we've discovered that some linux distributions add another configuration file **/etc/ssh/sshd_config.d/50-cloud-init.conf** which contains ''PasswordAuthentication yes'' to force password authentication to be enabled.
-Therefore, the easiest way to universally disable password authentication is to create a new file that sorts lexicographically before any other files that might be created in there, such as **00-disable-password-auth.conf**:
-<file>
-PasswordAuthentication no
-</file>
-After setting the ''PasswordAuthentication'' option to ''no'' you must reload the sshd daemon to get this setting to take effect:
-  * on Debian/Ubuntu:<code>
-systemctl reload ssh
-</code>
-  * on RHEL/Rocky:<code>
-systemctl reload sshd
-</code>
-\\
-\\
-===== Google Authenticator MFA =====
-==== Ubuntu ====
-  - Install **libpam-google-authenticator**:<code>
-apt install libpam-google-authenticator
-</code>
-  - Configure SSH, edit ''/etc/ssh/sshd_config'':<file>
-#uncomment
-PasswordAuthentication yes
-#uncomment and set to yes
-KbdInteractiveAuthentication yes
-</file>
-  - Restart SSHD Service:<code>
-systemctl restart ssh
-</code>
-  - Add this line to ''/etc/pam.d/sshd'' after the line **@include common-auth**:<file>
-auth required pam_google_authenticator.so nullok echo_verification_code
-</file>
-    * NOTE: ''nullok'' means google authenticator is not required. You MUST have this until all users have configured google-authenticator. Then remove this to enforce 2FA.
-    * **WARNING** If you make changes to any pam config files, make sure you have a second terminal open as root so that you can always get in to revert the change. PAM can very easily break all authentication so that you can't get in to the system any more. Double check any changes right away. Don't let the 15 minute auto logout lock you out...
-  - To enforce 2FA for other services, modify the appropriate pam config file for that service
-=== Set up google authenticator for each user account ===
-Users must set up their own google authenticator:
-  - Log in via SSH using password
-  - Run the command:<code>google-authenticator</code>
-  - Follow prompts to get a QR code (NOTE: Have the user maximize their SSH app window so the QR code is drawn properly and doesn't wrap around the screen)
-  - Scan the QR code using your Google Authenticator app on your phone
-  - Enter 6 digit code or -1 to skip
-  - Complete the setup by answering questions:
-    - Update your "/home/your_account_home_here/.google_authenticator" file: y
-    - Time-based: y
-    - Disallow multiple uses of the same code (prevent man-in-the-middle attacks): y
-    - Permit time skew up to 4 minutes: n
-    - Enable rate-limiting: y
-  - **Copy your backup codes somewhere safe. You can also view your backup codes by looking in the ''~/.google-authenticator'' file.**
-=== Disabling Google Auth ===
-  * Disable google auth 2FA for a specific user account by moving/renaming the ~/.google-authenticator file \\ (NOTE: This will only work with nullok added to the previous config above!)