Configure SSH to use two-factor authentication

Key Value
Summary Configure SSH on Ubuntu server to require two-factor authentication.
Categories server
Difficulty 2
Author Marcin Mikołajczak


Duration: 2:00

SSH, the secure shell, is often used to access remote Linux systems. Because we often use it to connect with computers containing important data, it’s recommended to add another security layer. Here comes the two factor authentication (2FA).

What is two-factor authentication

Multi-factor authentication is a method of confirming your identity using at least two different ways of authentication. The most common and easiest to implement example of two-factor authentication uses a combination of passphrase (a complex password, often made of several words) and one-time-passcode generated by a special mobile app.

We will use the Google Authenticator app available for Android (in the Play Store) and iOS (in iTunes) to generate authentication codes.

What you’ll need

  • A computer running Ubuntu 16.04 LTS or above
  • A phone running Android or iOS
  • A configured SSH connection
  • You should understand the danger of stolen passwords.
  • You don’t need to know what two-factor authentication is and how it works.

Originally authored by Marcin Mikołajczak.

Installing and configuring required packages

Duration: 3:00

Installing the Google Authenticator PAM module

Start a terminal session and type:

sudo apt install libpam-google-authenticator

Configuring SSH

To make SSH use the Google Authenticator PAM module, add the following line to the /etc/pam.d/sshd file:

auth required

Now you need to restart the sshd daemon using:

sudo systemctl restart sshd.service

Modify /etc/ssh/sshd_config – change ChallengeResponseAuthentication from no to yes, so this part of the file looks like this:

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no # CHANGE THIS TO YES

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

Configuring authentication

Duration: 2:00

Google Authenticator makes the configuration of two-factor authentication much easier, comparing to (for example) libpam-oath.

In a terminal, run the google-authenticator command.

It will ask you a series of questions, here is a recommended configuration:

  • Make tokens “time-base”": yes
  • Update the .google_authenticator file: yes
  • Disallow multiple uses: yes
  • Increase the original generation time limit: no
  • Enable rate-limiting: yes

You may have noticed the giant QR code that appeared during the process, underneath are your emergency scratch codes to be used if you don’t have access to your phone: write them down on paper and keep them in a safe place.

That’s all. Now, let’s open Google Authenticator and add our secret key to make it work.


ⓘ Don’t use unencrypted services to store secret keys, such as a notes synchronization service and so on. If you don’t want to type the key manually, use the QR code.

Adding the secret to Google Authenticator

Duration: 2:00

We will use the latest version of Authenticator from the Play Store. The process shouldn’t look very different on iOS.


Using the QR code

Touch the Add icon (+) and select “Scan a barcode”. Use phone camera to scan QR code.


Using the through key

Touch the Add icon (+) and select “Enter a provided key”. Enter a name that you will recognise as being your 2FA method for SSH, then type the secret key provided by google-authenticator command.


Getting help

Duration: 1:00

Congratulations! You have just configured two-factor authentication for SSH shell using Google Authenticator. Now, every time you (or some bad guy with your password…) will try to log in to your SSH shell, you (or this bad guy) will be asked for an authentication key in addition to a traditional passphrase.

If you need more guidance on using two-factor authentication, help is always at hand:

1 Like

Need to restart sshd after sshd_config is modified.

1 Like

any chance to put the actual command on the next line - to keep it with the same format in the article?

In Ubuntu 22.04 there is KbdInteractiveAuthentication instead of ChallengeResponseAuthentication.


Agree, this is important

Yes, it must be updated in docs.

Unfortunately this does not work on cloud instances (yandex) with Ubuntu 22, not sure why :frowning:.
SSH with a key enters without asking for 2fa. The how-to works for NON cloud instances, using it often.

The screenshots for the authenticator app on are not displaying.

It seems to me that this guide is for password+TOTP, and it does not work for SSHkeys+TOTP.