Duo Security offer a free two factor authentication (limited to 10 users), which I have found very useful to secure servers.
First install the compiling software
sudo apt-get install build-essential automake checkinstall libssl-dev libpam-dev
Visit https://github.com/duosecurity/duo_unix/downloads to download the latest version of of install, and use wget to dowload it.
sudo wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
Extract the file
tar zxf duo_unix-latest.tar.gz
Now you need to compile the installation
sudo ./configure --prefix=/usr && sudo make && sudo make install
You now need to register your server with Duo. To do this logon to the Duo Security Dashboard and add a new registration, copy the details into the following file:
sudo nano /etc/duo/login_duo.conf
[duo] ; Duo integration key ikey = INTEGRATION_KEY ; Duo secret key skey = SECRET_KEY ; Duo API hostname host = API_HOSTNAME
Now you need to test by running the following. If this is your first time setting this up, you will be given an enrolment URL link to follow:
There are a number of ways to use Duo Security to authenticate you. I prefer to do this on a user by user basis. So I add the following at the start of the ~/.ssh/authorized_keys file. This SSH to authenticate me using both certificate and Duo together.
If you want to enable it for all users, the you can add the following to the bottom of the /etc/ssh/sshd_config file:
and the restart the ssh service:
sudo service ssh restart