How to Install Two Factor SSH Authentication with Authy
Edit Article

  • 1 Editor

Authy and configure Two-Factor Authentication For SSH is not a new subject to many of us. But, some concepts must have vanished from our minds without a proper update. Don't worry, if you think you want to rewind and get yourselves updated, and then I am there to help you.


I will first refresh the basics before we move towards the major part.


Linux two factor authentication makes your VPS or server more secure. It not only requires a password or SSH key but also a time-sensitive symbol generated in your phone. If your password is exposed, or if you by mistake reveal your private key, your server will stay secure. Authy provides a simple platform for setting two factor authentication options. It is user-friendly not only with popular apps like Google and Dropbox, but also with your own VPS. It is simple to set up. Though it is a commercial service, around 1000 logins per month can be used for free and personal uses.



Hope by now you has got a small hint on the basics ... Now we will further move on to the major part of the install.


Getting started

Setup Authy on your phone

First step is to download the Authy app for your device. Open the app and follow the steps, verify your phone number. Your phone now has a secure symbol.

Set up a developer account

Now you need to register again as a developer, so you can link your VPS to your phone's Authy app.

  • Start the signup page.
  • Enter your email address, state, mobile number and password.
  • Use the same mobile number as you entered before.
  • You will receive an email from Authy.
  • Click the link in the email and you will ask to log in.
  • Your phone will have configure as the sign for accessing your account .
  • Open the "Authy" app and now you will have the password for log in.

Create an API Application

Once you are into your dashboard now click "Create new application". Enter a name for your local server and click "Create".

How To Install Authy And Configure Two-Factor Authentication :

Type the following command in the terminal:

install step1

Then enable two-factor for your user:

install step2

Test everything is working:

install step3

Restart your SSH server (look below if you are not on Ubuntu).

sudo1

Restarting your ssh server

Ubuntu

Debian

RedHat and Fedora Core Linux

Suse linux

Installing without root privileges

Type the following command in the terminal:

install step5

Now protect your user:

install step6

Enable two-factor auth on a user.

After the installation enables the two-factor for the users you want to protect.


To enable users type the following command and fill the form:

enable1

If you want to do it in one line just type:

enable2

How it works

Authy-ssh uses the sshd_config directive ForceCommand to run itself before every login. Here's how your sshd_config will look after installing:

enable3

Whenever it runs authy-ssh will read it's configuration from /usr/local/bin/authy-ssh.conf Here's an example:

enable4

In this case it means user root and daniel have two-factor enabled and that 1 is their authy_id. If a user is not in this list,authy-ssh will automatically let him in.

Using two-factor auth with automated deployment tools

If you use capybara, chef, puppet, cfengine, git you can create new users for these tools. This will help them enter the machine without requiring two-factor. Alternatively, you can connect the users using the ForceCommand directive.


A good example is create a two-factor users group.

groupadd two-factor

usermod  -a -G two-factor root

Now that my root user is in the two-factor group, I edit my /etc/ssh/sshd_config

[[email protected] ~]# cat /etc/ssh/sshd_config | grep ForceCommand -A 1 -B 1

match Group two-factor

ForceCommand /usr/local/bin/authy-ssh login

$ /sbin/service sshd restart

Stopping sshd: [ OK ]


Starting sshd: [ OK ]


Now force command will only function on users that fit in to the two-factor group.

scp, sftp, mosh and git push with two-factor authentication

The non-interactive commands like scp, sftp, mosh and git clone|fetch|push are used. To enable them you have to allow to pass the environment variable AUTHY_TOKEN from the client. Edit your sshd_config (normally located at /etc or /etc/ssh/)add AUTHY_TOKEN to the AcceptEnv directive.

AcceptEnv AUTHY_TOKEN

Configure the client. Send that variable to the server, to do so first open ~/.ssh/config and then add the following:

Host *
    SendEnv AUTHY_TOKEN

And finally pass the token before the command:

AUTHY_TOKEN="valid-token" git push origin master
AUTHY_TOKEN="valid-token" scp server:path/to/file local-file
AUTHY_TOKEN="valid-token" mosh server

Multiple users sharing the same unix account

You can have multiple user's sharing a single login. This can be done by using two-factor authentication without sharing the same token. This means that every user can have their own Authy Token, verifying non-repudiation. To achieve this, delete or comment out the ForceCommand directive from your sshd_config:

$ sudo sed -ie 's/^(ForceCommand.*authy-ssh.*)/#1/g' /etc/
ssh/sshd_config

and then for each person add their ssh key using the following command:

$ sudo authy-ssh protect

you should end up with an authorized_keys file that looks like:

command="/usr/local/bin/authy-ssh login 13386" 
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAunBSy1b4VTg6K9bkpn98dI6q2XLhi6f7IOalEzQ2h6JGLCQZcXTcIZaK9UbJ
JYq+wxdGhpdWsuSpwCTF3E2V5eyu8f35QUI0VXmhmAhBW0M13pDU9DPl2nlQYg2dMCV++9Dx9bha3WIkpWwmVZALgv0/
fuLCY06uIbztArmuWHfZApkaysGEFuwikkx3uzYueNuUnoGHH+45XeQQ4BGCdOeFHIxJ/5wbpqyVpfIzg2Qb0siAlL1WmAi
2D0WAzJPKNoKMi6zpJd+KbEOrZTdmKhOZB5THBqaZbXEqGM5logy4FTdNV/oW9ARba1t3H7K1HgRc0S4kPcVj8s+BIiPrw4i
2HAtfvVvMgvh+OdV782O4V/+Z0/SF6mXXKn/uhXViemCWGJpGs/KJ5N+6pN3tgk/+TKOup0OeSDVaWEDXvjbl+5gYLMjJR
f7iZojLMerie7EWDwW1QIJVIYngNWQ/+kdqMDxY13DGPDhxNZG2qmDP8V/6FmpDwXpcAOIuM1FCJHSs/tmx3hqOvxbU5S
v4o2or6ABunoUGEy9HSXTBSFyYVLaTVX1R+EdEjDNQCtR9qbKOGSEXchl8IHxj3BlNf2dRbChon2GaJOSkQDykP8835jq
fHzBk+8v+yaTeRoikoK0PKv6V32fLmX/d6qaO6IU6xeC5SbqaN2qBr1EoKUE=
command="/usr/local/bin/authy-ssh login 20" ssh-rsa ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAunBSy1b4V
Tg6K9bkpn98dI6q2XLhi6f7IOalEzQ2h6JGLCQZcXTcIZaK9UbJJYq+wxdGhpdWsuSpwCTF3E2V5eyu8f35QUI0VXmh
mAhBW0M13pDU9DPl2nlQYg2dMCV++9Dx9bha3WIkpWwmVZALgv0/fuLCY06uIbztArmuWHfZApkaysGEFuw
ikkx3uzYueNuUnoGHH+45XeQQ4BGCdOeFHIxJ/5wbpqyVpfIzg2Qb0siAlL1WmAi2D0WAzJPKNoKMi6zpJ
d+KbEOrZTdmKhOZB5THBqaZbXEqGM5logy4FTdN=

The previous command will ask you the user ssh public key, cellphone and email.

Uninstall Two Factor SSH Authentication on Authy

To uninstall type:

$ sudo authy-ssh uninstall
$ restart your SSH server

Running Unit Tests

$ cd tests

$ rake test

These commands will run the unit test for auth.


Hope all you guys have refreshed your knowledge and learned “Authy and configure the Two-Factor Authentication for SSH”. If you still feel I have to add more points to it, don’t worry we will keep you posted with more info. Stay connected to our page and update your knowledge with more topics.

Article Tools

Did this article help you?

YesNo

Become
an Author!

Write an Article