SSH to use two-factor authentication using Google Authenticator on Debian or Ubuntu Server Rumi, November 19, 2023 A computer running Ubuntu 16.04 LTS or above A phone running Android or iOS A configured SSH connection You should understand the danger of stolen passwords. You don’t need to know what two-factor authentication is and how it works. 🙂 Installing and configuring required packages Start a terminal session and type: sudo apt install libpam-google-authenticator Configuring SSH To make SSH use the Google Authenticator PAM module, add the following line to the /etc/pam.d/sshd file: auth required pam_google_authenticator.so Now you need to restart the sshd daemon using: sudo systemctl restart sshd.service Modify /etc/ssh/sshd_config – change ChallengeResponseAuthentication from no to yes, so this part of the file looks like this: # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # CHANGE THIS TO YES # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes Configuring authentication Google Authenticator makes the configuration of two-factor authentication much easier, comparing to (for example) libpam-oath. In a terminal, run the google-authenticator command. It will ask you a series of questions, here is a recommended configuration: Make tokens “time-base””: yes Update the .google_authenticator file: yes Disallow multiple uses: yes Increase the original generation time limit: no Enable rate-limiting: yes You may have noticed the giant QR code that appeared during the process, underneath are your emergency scratch codes to be used if you don’t have access to your phone: write them down on paper and keep them in a safe place. That’s all. Now, let’s open Google Authenticator and add our secret key to make it work. Don’t use unencrypted services to store secret keys, such as a notes synchronization service and so on. If you don’t want to type the key manually, use the QR code. Adding the secret to Google Authenticator We will use the latest version of Authenticator from the Play Store. The process shouldn’t look very different on iOS. Using the QR code Touch the Add icon (+) and select “Scan a barcode”. Use phone camera to scan QR code. Using the through key Touch the Add icon (+) and select “Enter a provided key”. Enter a name that you will recognise as being your 2FA method for SSH, then type the secret key provided by google-authenticator command. Ref: https://ubuntu.com/tutorials/configure-ssh-2fa#4-adding-the-secret-to-google-authenticator Administrations Configurations (Linux) 2 Factor Authentication2FAGoogle AuthenticatorSSH