This may sound like an oxymoron, but this tutorial shows you how to secure access to an Ubuntu server using 2FA to protect both login and access to the sudo account. Once we accomplish that, we show how “wetty” a web browser based terminal can be used to host our ssh access via a web browser.
Read about wetty on the Github page:
https://github.com/butlerx/wetty/blob/main/docs/atoz.md
If that’s not enough, I show how to use NginX Proxy Manager (NPM) to offer our ssh terminal instance over the web with SSL encryption. Wetty has internal functionality for SSL certificates, but since I frequently feature the use of NPM as a central point of management for reverse proxy and SSL certificate management, this seemed like a good solution.
At the beginning of the video I created a LXD instance for Ubuntu 22.04 Server. Watch my other videos that describe how to expose your LXD instances to your LAN or a VLAN using either bridging or macvlan as I do below:
lxc launch ubuntu:22.04 wetty --profile default --profile vlan80 -c boot.autostart=true
Connect to the console of the new LXD instance:
lxc exec wetty bash
Execute updates on the new instance, install net-tools:
sudo apt update && sudo apt upgrade
sudo apt install net-tools
Add a user account for testing and grant it sudo privilege:
sudo adduser scott
sudo usermod -aG sudo scott
Install the Google pluggable authentication module for 2FA:
sudo apt install libpam-google-authenticator
Move over to your user account since that is where we want to add 2FA and invoke the 2FA key generator:
su - scott
google-authenticator
Edit the common authentication file to use 2FA:
sudo nano /etc/pam.d/common-auth
Insert the following two lines at the end and then save the file:
auth required pam_google_authenticator.so nullok
auth required pam_permit.so
Edit the ssh server configuration file and search for “challenge”:
sudo nano /etc/ssh/sshd_config
If you are running Ubuntu 22.04 the key you will want to change to “yes” is:
KbdInteractiveAuthentication yes
If you are running Ubuntu 20.04 the key you will want to change to “yes” is:
ChallengeResponseAuthentication yes
Restart the ssh service for changes to take effect:
sudo systemctl restart sshd.service
2FA authentication relies heavily on an accurate system clock. Use the following commands to set your system to get time from the Internet and also set your time zone:
sudo timedatectl set-ntp yes
sudo timedatectl list-timezones
sudo timedatectl set-timezone America/Chicago
At this point, you should be able to ssh to your server and be prompted for username, password,and 2FA key. The sudo command will also prompt for a 2FA key as well.
This next session shows how to install the wetty Web Based ssh terminal application.
Install “git”:
sudo apt install git
Install the dependencies:
sudo apt install curl build-essential python3
sudo apt install libncurses-dev flex libssl-dev libelf-dev bc bison
Update the repository to allow for NodeJS 14+ to be installed and install node:
curl -sL https://deb.nodesource.com/setup_14.x | sudo bash -
sudo apt -y install nodejs
Check to see that node 14+ is installed:
node -v
Install the gnupg2 for privacy components:
sudo apt install gnupg2
Add a repository for the YARN package managerz’:
curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
Install yarn:
sudo apt update && sudo apt install yarn
Install wetty with yarn:
sudo yarn global add wetty
Export profile path name used by wetty:
echo "export PATH=$PATH:/usr/local/bin" | sudo tee -a /etc/profile
source /etc/profile
Wetty is installed:
wetty --help
Invoke wetty from the command line to test (you can change the port number):
wetty --host 0.0.0.0 -p 80
Go to your web browser at the address of your instance:
http://192.168.80.129/wetty
Come back to the terminal and CTRL-C to abort wetty. Now create a system service for wetty by editing the file:
sudo nano /etc/systemd/system/wetty.service
Insert the following contents into the file and save it:
[Unit]
Description=WeTTY
[Service]
Type=simple
ExecStart=/bin/bash -c "wetty --host 0.0.0.0 -p 80 --base /"
Restart=always
RestartSec=2
TimeoutStopSec=5
SyslogIdentifier=wetty
[Install]
WantedBy=multi-user.target
Enable and start the new service:
sudo systemctl enable wetty
sudo systemctl start wetty
Reboot your server to see if the service starts:
sudo reboot
Log in and check to see the service is running:
sudo systemctl status wetty
You should now be able to access your wetty instance from a web browser at your address of the server:
http://192.168.80.129
The trailing “/wetty” is no longer needed in the URL because of the “–base /” switch in the service. Look at the other command switches with “wetty --help” to see other options.
In the video, I showed how to use NginX Proxy Manager to offer this service via reverse proxy with SSL secure it for access over the public internet only if desired. Refer to the video for that detail.
To upgrade wetty to a newer version:
yarn global upgrade wetty --prefix ~/