{"id":50347473,"url":"https://github.com/chethanyadav456/ssh-2fa-hardening","last_synced_at":"2026-05-29T20:01:25.443Z","repository":{"id":354017270,"uuid":"1221796460","full_name":"chethanyadav456/ssh-2fa-hardening","owner":"chethanyadav456","description":"Enterprise-grade automation framework to harden Linux SSH access with Google Authenticator PAM-based two-factor authentication.","archived":false,"fork":false,"pushed_at":"2026-04-27T17:16:14.000Z","size":54,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-25T07:34:28.323Z","etag":null,"topics":["devsecops","google-authenticator","linux-hardening","ssh","two-factor-authentication"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chethanyadav456.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-26T17:35:47.000Z","updated_at":"2026-04-27T17:16:18.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/chethanyadav456/ssh-2fa-hardening","commit_stats":null,"previous_names":["chethanyadav456/ssh-2fa-hardening"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/chethanyadav456/ssh-2fa-hardening","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chethanyadav456%2Fssh-2fa-hardening","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chethanyadav456%2Fssh-2fa-hardening/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chethanyadav456%2Fssh-2fa-hardening/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chethanyadav456%2Fssh-2fa-hardening/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chethanyadav456","download_url":"https://codeload.github.com/chethanyadav456/ssh-2fa-hardening/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chethanyadav456%2Fssh-2fa-hardening/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33668186,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-29T02:00:06.066Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devsecops","google-authenticator","linux-hardening","ssh","two-factor-authentication"],"created_at":"2026-05-29T20:01:23.671Z","updated_at":"2026-05-29T20:01:25.411Z","avatar_url":"https://github.com/chethanyadav456.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n    \u003cimg src=\"logo_2fa_ssh.png\" alt=\"SSH 2FA Hardening Framework logo\" width=\"350\" /\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n    \u003cstrong\u003eEnterprise-grade automation framework to harden Linux SSH access with Google Authenticator PAM-based two-factor authentication.\u003c/strong\u003e\n\u003c/p\u003e\n\n## SSH 2FA Hardening Framework\n\nEnterprise-grade automation framework for hardening Linux SSH access with PAM-based Google Authenticator 2FA. Project designed for production rollout, safe rollback, and repeatable validation across mixed Linux environments.\n\n## Why This Matters\n\nPassword-only SSH remains high-risk under modern threat models:\n\n* Credential stuffing and leaked password reuse\n* Brute-force and distributed guessing attacks\n* Lateral movement after endpoint compromise\n* Weak credential hygiene in shared admin teams\n\n2FA reduces blast radius by requiring possession factor in addition to password or key authentication.\n\n## One-Line Deployment\n\n```bash\ncurl -sSL https://raw.githubusercontent.com/chethanyadav456/ssh-2fa-hardening/refs/heads/main/setup.sh | sudo bash\n```\n\n```bash\nwget -qO- https://raw.githubusercontent.com/chethanyadav456/ssh-2fa-hardening/refs/heads/main/setup.sh | sudo bash\n```\n\n## Features\n\n* Strict bash safety (`set -euo pipefail`)\n* Colored structured logs (`INFO`, `WARN`, `ERROR`, `SUCCESS`)\n* OS and package-manager detection (`apt`, `yum`, `dnf`)\n* Pre-flight validation checks before mutation\n* Automatic timestamped backup strategy\n* Interactive Google Authenticator enrollment with QR re-display flow\n* Idempotent PAM and SSH config updates (no duplicate directives)\n* Syntax-safe SSH validation via `sshd -t` before restart\n* Cross-distro SSH service management abstraction (`ssh`/`sshd`)\n* Dedicated verification and rollback tooling\n\n## Repository Layout\n\n```text\n.\n├── setup.sh\n├── rollback.sh\n├── verify.sh\n├── config/\n│   ├── pam_sshd.template\n│   └── sshd_config.template\n└── docs/\n    ├── architecture.md\n    └── troubleshooting.md\n```\n\n## Architecture Overview\n\nFramework organized around controlled phases:\n\n1. Pre-checks and dependency readiness\n2. Interactive identity factor enrollment\n3. PAM mutation with backup-aware idempotency\n4. SSH daemon hardening with compatibility fallback\n5. Syntax validation gate before service reload/restart\n6. Post-change verification and operator warning flow\n\nDetailed architecture: [docs/architecture.md](docs/architecture.md)\n\n## Installation Guide\n\n1. Clone repository or host `setup.sh` behind HTTPS.\n2. Execute with root privileges.\n3. Complete interactive Google Authenticator prompt.\n4. Scan QR code from authenticator app.\n5. Keep active SSH session open.\n6. Validate access from second terminal before closing first session.\n\nLocal run:\n\n```bash\nsudo bash setup.sh\n```\n\n## Interactive QR Flow\n\nScript enforces mandatory user confirmation after enrollment:\n\n```text\nHave you scanned the QR code?\n\n1. Yes, continue\n2. Show QR again\n3. Exit safely\n```\n\nNo bypass in production flow.\n\n## Verification Steps\n\nRun post-deployment validation:\n\n```bash\nsudo bash verify.sh\n```\n\nThis checks:\n\n* Package presence\n* PAM line enforcement\n* SSH hardening directives\n* `sshd -t` config validity\n* SSH service health\n\n## Rollback Guide\n\nEmergency rollback command:\n\n```bash\nsudo bash rollback.sh\n```\n\nRollback script restores latest backup set from `/var/backups/ssh-2fa-hardening/` and attempts safe SSH service restart.\n\n## Supported Operating Systems\n\n* Ubuntu (apt)\n* Debian (apt)\n* CentOS (yum)\n* RHEL (yum/dnf)\n\n\n## Security Best Practices\n\n* Keep one active SSH session during hardening\n* Verify second session login before disconnecting first\n* Prefer public key + keyboard-interactive mode where supported\n* Restrict SSH exposure with firewall and trusted CIDRs\n* Disable password auth later if key-only policy enforced\n* Rotate recovery codes and monitor auth logs continuously\n\n## Troubleshooting\n\nCommon failure modes and fixes: [docs/troubleshooting.md](docs/troubleshooting.md)\n\n## Future Roadmap\n\n* Non-interactive bootstrap mode with pre-provisioned secret support\n* SIEM-friendly JSON log mode\n* OpenSCAP integration for compliance evidence\n* Ansible role and Terraform external data wrapper\n* Optional FIDO2/U2F PAM pathway\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchethanyadav456%2Fssh-2fa-hardening","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchethanyadav456%2Fssh-2fa-hardening","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchethanyadav456%2Fssh-2fa-hardening/lists"}