sudo apt install libpam-google-authenticator

At this point in SSH, expand it to full screen so you can scan the QR code into the Google
Authenticator on your device


Answer yes to all the questions.

Do you want authentication tokens to be time-based (y/n) y

Do you want me to update your “/home//.google_authenticator” file? (y/n) y

Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y

If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y

To backup your secret, copy the .google_authenticator file and save it somewhere safe.


Public Key Authentication with 2FA

If you use SSH key to log into SSH server, then follow the instructions below.

Open SSH server configuration file.

sudo nano /etc/ssh/sshd_config

Find the following two parameters in the file and make sure both of them are set to yes.

UsePAM yes

ChallengeResponseAuthentication yes

PAM stands for pluggable authentication module. It provides an easy way to plug different authentication method into your Linux system. To enable Google Authenticator with SSH, PAM and Challenge-Response authentication must be enabled.

If you want to allow the root user to use 2FA, then find the PermitRootLogin parameter and set its value to yes. It can not be PermitRootLogin no or PermitRootLogin prohibit-password.

PermitRootLogin yes

Next, add the following line at the end of this file. This tells SSH daemon that the user must pass both public key authentication and challenge-response authentication.

AuthenticationMethods publickey,keyboard-interactive

Save and close the file. Next, edit the PAM rule file for SSH daemon.

sudo nano /etc/pam.d/sshd

At the beginning of this file, you can see the following line, which enables password authentication when ChallengeResponseAuthentication is set to yes. We need to comment this line out, because we will use SSH key instead of password.

@include common-auth

To enable 2FA in SSH, add the following two lines.

# two-factor authentication via Google Authenticator
auth   required

If you are wondering what happens if you lose your device app and can’t get in to ssh. I was able to use VMware Open Console to access the servers. This only affects SSH.  Remember to make sure SSH is blocked from external sources on your firewall.