SSH 2FA Linux

When setting up a Linux host for developing or testing web applications, security should be a top priority. An essential step in safeguarding your server is to ensure that unauthorized access is effectively prevented. One of the most efficient ways to enhance security is by implementing two-factor authentication (2FA) for SSH access. This added layer of security requires not just a password, but also a verification code generated by a device you own, significantly reducing the risk of potential hacking attempts.

In this guide, we will walk you through the process of enabling Google Authenticator for SSH 2FA on your host. By following these steps, you can protect your server from being easily compromised by hackers and maintain a secure environment for your web application development or testing activities.

Step 1: Update Your System

First, ensure that your system packages are up-to-date. Open a terminal and run:


sudo apt update && sudo apt upgrade -y

Step 2: Install Google Authenticator

The Google Authenticator application will manage the 2FA process. To install it, run:


sudo apt install libpam-google-authenticator -y

Step 3: Configure Google Authenticator for a User

Each user wishing to use 2FA with SSH will need to run the Google Authenticator configuration. Switch to the user account and run:


google-authenticator -s ~/.ssh/google_authenticator

Answer the questions prompted during the setup. Make sure to note down the emergency scratch codes and scan the QR code with your authenticator app (like Google Authenticator or Authy on your smartphone).

Step 4: Configure SSH to Use 2FA

For Ubuntu 21.10, Debian 11, and earlier versions:You will need to enable ChallengeResponseAuthentication in the SSHD configuration.Open /etc/ssh/sshd_config with your editor (using sudo if necessary) and find the line that starts with ChallengeResponseAuthentication. Change it to:bash

sudo nano /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

If the line doesn’t exist, add it.

For Ubuntu 22.04, Debian 12, and later versions:

The correct directive to modify is KbdInteractiveAuthentication.

Open /etc/ssh/sshd_config in your editor (again, using sudo if necessary) and locate the line starting with KbdInteractiveAuthentication. Change it to:


sudo nano /etc/ssh/sshd_config

KbdInteractiveAuthentication yes

If this line does not exist, you should add it. This setting ensures that keyboard-interactive authentication is used, which is necessary for the 2FA prompt.

Regardless of your distribution version, continue with the following steps to configure PAM:

  • Edit the PAM SSH ConfigurationYou need to modify the PAM (Pluggable Authentication Modules) configuration for SSH to include Google Authenticator. Open /etc/pam.d/sshd in your editor (using sudo if necessary) and add the following line at the end of the file:bash


sudo nano /etc/pam.d/sshd

auth required

Step 5: Restart SSH Service

After making the necessary changes, apply them by restarting the SSH service:


sudo systemctl restart sshd

Step 6: Test Your SSH Connection

It’s important to test the SSH connection to ensure everything is set up correctly. Open a new terminal window and try SSHing to your server. The connection process should now ask for your password followed by the verification code generated by your authenticator app.

Final Notes:

  • Scratch Codes: Store your emergency scratch codes in a secure location. They’re vital if you lose access to your two-factor authentication app.
  • Per-user Configuration: Remember, each user must run the google-authenticator setup individually if they want to use 2FA.
  • Testing: Always test the new SSH connection in a new terminal window before closing existing sessions to avoid being locked out of the server.



, ,