First insttall a 2 Facto Authenticator like The one from LastPass
Run the following commands on the local-machine. The first is needed only once.
ssh-keygen ssh-copy-id remote-machine ssh remote-machine
su - apt install libpam-google-authenticator libqrencode3 echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config service ssh restart exit google-authenticator -tfD -w 17 -r 3 -R 30 -Q UTF8Open the App on your phone and scan the QRcode from the terminal or the URL that is given. br> Now you need to restart the ssh server. Done.
You are now able to connect to a machine using ssh and no password from the machine and user that has a key. From any other machine, you will be asked for an authentication. Use your phone for that.
In sshd_conf you can disallow the root to login with " PermitRootLogin no" and allow only a specific user to login, with "AllowUsers user_name".
You can copy the .google_authenticator on the remote_machine to other places where google authenticator is installed, so you need only one key.
Use the Authenticator for Amazon and other services as well for e.g. you website.
© 2005 - 2019
by houghi. Copyright explanation will be online on June 4, 2019