View Categories

How to add a 2FA to your SSH session

2 min read

This guide demonstrates how to set up 2FA using DUO – https://duo.com. This is just an example, you may use any other 2FA software.

On DUO website #

Step 1 #

Please create an account inside duo.com – free tier allows you to create up to 10 users.

Step 2 #

For IOS/Android: Download from App Store/Google Play app named Duo Mobile

Step 3 #

Open Duo Mobile, and press + symbol located in top right corner and scan the QR code from Duo website:

duo_qr.png

Step 4 #

Inside the DUO dashboard, create a new user which you are using to login into your server:

duo_user.png

Step 5 #

Now add your phone:

duo_phone.png

Step 6

Follow the instruction on the screen to activate your phone:

duo_activation.png

 

Step 7 #

Generate your QR code:

duo_activation2.png

 

Step 8 #

Send activation instructions via SMS:

 

duo_activation3.png

 

Step 9 #

Now open your text app on your phone and click the activation link. DUO will open it and activate your app.

 

Step 10 #

Create a new Application that you want to protect.

duo_app.png

Step 11 #

Type “UNIX App” and click on it.

duo_unix.png

 

Step 12 #

Now copy all the keys into your notepad

duo_appcodes.png

Step 13 #

Scroll down to the settings and fill it up

duo_appsettings.png

On your server #

Step 14 #

Make sure you’ve installed Development Tools:

$ sudo yum group install "Development Tools"

 

Step 15 #

Download the DUO source and unpack it:

$ wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
$ tar xfz duo_unix-latest.tar.gz
$ cd duo_unix-*

 

Step 16 #

Now compile source and install app:

$ ./configure --with-pam --prefix=/usr && make && sudo make install

 

Step 17 #

Edit now /etc/duo/login_duo.conf file and fill with the copied codes from your notepad.

 

Step 18 #

Test now your DUO. If you received 2FA request to your phone, and it’s working, you can proceed to next step

$ /usr/sbin/login_duo

 

Step 19 #

Add DUO layer to your SSH config:

$ echo “ForceCommand /usr/sbin/login_duo” >> /etc/ssh/sshd_config

 

Step 20 #

Now copy our integrated key & secret key & host to /etc/login_duo.conf

 

Step 21 #

Restart your SSH daemon:

CentOS

$ service sshd restart

Debian/Ubuntu

$ service ssh restart