How to Enable Two-Factor Authentication on Arch Linux

In today’s world, ensuring the security of your digital accounts is more critical than ever. One of the most effective ways to enhance security is by enabling two-factor authentication (2FA) on your Arch Linux system. This blog post will guide you through the process of how to enable two-factor authentication on Arch Linux, providing a comprehensive and easy-to-follow tutorial.

Why Enable Two-Factor Authentication?

Two-factor authentication adds an extra layer of security to your system, making it more difficult for attackers to gain unauthorized access. By requiring two different methods of verification, such as something you know (password) and something you have (authentication code from an app or a hardware token), 2FA significantly reduces the likelihood of unauthorized access to your accounts.

Prerequisites

Before we begin, ensure that you have the following:

• An Arch Linux system with sudo privileges
• A TOTP (Time-based One-Time Password) application, such as Google Authenticator or Authy

How to Enable Two-Factor Authentication on Arch Linux

Install the Google Authenticator PAM Module

First, you’ll need to install the Google Authenticator PAM (Pluggable Authentication Modules) module on your Arch Linux system. You can install it from the official Arch Linux repository using the pacman package manager. Run the following command:

sudo pacman -S libpam-google-authenticator

Configure Google Authenticator

Once the PAM module is installed, configure Google Authenticator for your user account by running the following command:

google-authenticator

You’ll be prompted with several questions:

1. Do you want authentication tokens to be time-based (y/n): Choose y to use time-based tokens.
2. Do you want me to update your “/home/your-username/.google_authenticator” file (y/n): Choose y to create the configuration file.

After that, you’ll see a QR code, a secret key, and a list of emergency scratch codes. Scan the QR code with your TOTP application (Google Authenticator or Authy) or manually enter the secret key. Store the emergency scratch codes in a safe place, as they can be used to log in if you lose access to your TOTP app.

Configure PAM for SSH

Now, you need to configure PAM to use the Google Authenticator module for SSH authentication. Open the /etc/pam.d/sshd file using your favorite text editor, such as vim or nano.

sudo vim /etc/pam.d/sshd

Add the following line at the beginning of the file:

auth required pam_google_authenticator.so

Save and exit the file.

Configure SSH

Next, modify the SSH configuration to enable challenge-response authentication. Open the /etc/ssh/sshd_config file using a text editor.

sudo vim /etc/ssh/sshd_config

Ensure the following lines are present and uncommented:

ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,password publickey,keyboard-interactive

Save and exit the file.

Restart SSH and Test

Restart the SSH service to apply the changes:

sudo systemctl restart sshd

Enabling Two-Factor Authentication for SSH on Arch Linux

One common use case for 2FA is to secure your SSH connections. To accomplish this, we’ll use Google Authenticator PAM (Pluggable Authentication Modules) on Arch Linux.

1. Install Google Authenticator PAM:

sudo pacman -S libpam-google-authenticator

2. Configure PAM for SSH: Edit /etc/pam.d/sshd file by adding the following line at the beginning of the file:

auth required pam_google_authenticator.so

3. Configure SSH: Open the /etc/ssh/sshd_config file and add or modify the following lines:

ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

4. Restart SSH service: Restart the SSH service to apply the changes:

sudo systemctl restart sshd

5. Set up Google Authenticator for each user: Log in as the user you want to enable 2FA for and run the following command:

google-authenticator

Answer the questions prompted, and the Google Authenticator will generate a QR code and a secret key. Use a 2FA app like Google Authenticator, Authy, or FreeOTP to scan the QR code or manually enter the secret key.

6. Test your SSH connection: Open a new terminal session and try connecting to your Arch Linux server using SSH. You should be prompted for both your SSH key and the 2FA code.

That’s it! You’ve successfully enabled two-factor authentication on your Arch Linux system.

Securing Other Services with Two-Factor Authentication

In addition to SSH, you can also secure other services on your Arch Linux server using 2FA. For instance, you can enable 2FA for web applications like phpMyAdmin or Nextcloud. The process may vary depending on the application, so refer to their respective documentation for guidance.

Wrapping Up

Enabling two-factor authentication on Arch Linux is an excellent way to enhance the security of your system. By requiring both a password and a unique code generated by a 2FA app, you can effectively protect your server from unauthorized access.

In this tutorial, we covered the steps to enable 2FA for SSH using Google Authenticator PAM. Remember, you can also secure other services on your Arch Linux server with 2FA, depending on the application.

For more tutorials on Arch Linux, check out these helpful articles:

• How to Install and Configure Fail2Ban on Arch Linux
• How to Install and Configure OpenVPN Server on Arch Linux
• How to Install Ruby on Arch Linux
• How to Install Wget on Arch Linux
• How to Install Vim on Arch Linux