# SSH Key with 2FA1. Add the client users's ssh-rsa pubilic key to the server

1. # SSH Key with 2FA
2.  
3. 1. Add the client users's ssh-rsa pubilic key to the server user's ~/.ssh/authorized_keys file.
4.  
5. #### The rest of the this will be done on the server as the user that will be logged in with the key and 2fa.
6. 2. Install the Google Authenticator PAM helper
7.  
8. `sudo apt update && sudo apt upgrade -y` - Always a good idea to update everything before starting
9.  
10. `sudo apt install libpam-google-authenticator` - This is the module for PAM which allows for 2fa via google
11.  
12. `google-authenticator` - This runs the config for the 2fa, answer yes to all questions and then scan the barcode with the 2fa app on your mobile device.
13.  
14. 3. Update PAM
15.  
16. `sudo vim /etc/pam.d/sshd`
17.  
18. >#Standard Un*x password updating.
19. >#@include common-password
20. >auth required pam_google_authenticator.so
21.  
22. This will stop PAM from asking for a password `#@include common-password` and the `auth required pam_google_authenticator.so` with require uses to have a 2fa token.
23.  
24. 4. Update SSH
25.  
26. `sudo vim /etc/ssh/sshd_config`
27.  
28. >LoginGraceTime 2m
29. >PermitRootLogin no
30. >StrictModes yes
31. >MaxAuthTries 1
32. >PasswordAuthentication no
33. >AllowUsers <username>
34. >PubkeyAuthentication yes
35. >AuthorizedKeysFile .ssh/authorized_keys
36. >ChallengeResponseAuthentication yes
37. >UsePam yes
38. >AuthenticationMethods publickey, keyboard-interactive
39.  
40. Replace <username> with the username of the server user that can login.
41. The first 8 option make sure that root can't login over ssh, that only the usenames in AllowUsers can login and that everything is setup for SSH key login.
42. Then the last three say to use PAM, which has the 2fa helping installed and configured, and then says to allow for interactive login with publickey.
43.  
44. `sudo systemctl restart sshd.service` - restarts the OpenSSH server daemon.
45.  
46. 5. Install and Config Fail2Ban
47.  
48. `sudo apt install fail2ban -y`
49.  
50. `sudo vim /etc/fail2ban/jail.local`
51.  
52. >[sshd]
53. >enabled = true
54. >port = 22
55. >filter = sshd
56. >logpath = /var/log/auth.log
57. >findtime = 3600
58. >bantime = 300
59. >maxretry = 2
60. >
61. >[sshd-persistent]
62. >enabled = true
63. >port = 22
64. >filter = sshd
65. >logpath = /var/log/auth.log
66. >bantime = 604800
67. >findtime = 604800
68. >maxretry = 19
69.  
70. `sudo vim /etc/fail2ban/fail2ban.conf`
71.  
72. edit `dbpurgeage = 1d` to read `dbpurgeage = 8d`
73.  
74. `sudo systemctl enable fail2ban`
75.  
76. `sudo systemctl start fail2ban`
77.  
78.  
79. 6. ????
80.  
81.  
82. 7. Profit