2FA for SSH using Google Authenticator

ssh Dec 19, 2018

Google Authenticator is a software token that implements two-step verification services using the Time-based One-time Password Algorithm and HMAC-based One-time Password algorithm, for authenticating users.

Below tutorial will setup 2 Factor Authentication for SSH on Debian Operating System using Google Authenticator.

Installing the Google Authenticator Library

sudo apt update
sudo apt install libpam-google-authenticator -y

Configure Google Authenticator for each user
Execute the below command in each user session to which you want to provide 2FA.

Now you will be presented with some questionnaire like below:

Do you want authentication tokens to be time-based (y/n) Y
Do you want me to update your “/root/.googleauthenticator” file (y/n) Y
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) Y
By default, tokens are good for 30 seconds…….. Do you want to do so? (y/n) N
Do you want to enable rate-limiting (y/n) Y

Next step is to scan the QR code displayed on the screen using your Google Authenticator mobile application to finish the configuration.

Note: If the root login is disallowed there is no point in executing the command in root user.

Configure SSH to use Google Authenticator
Modify the sshd file
sudo nano /etc/pam.d/sshd

Search for the line @include common-auth and comment it out, like shown below:
# Standard Un*x authentication.
#@include common-auth

Add the below line at the bottom of the sshd file:
auth required pam_google_authenticator.so
Save and Exit.

Now, modify the sshd_config file
nano /etc/ssh/sshd_config

Find and set the value of ChallengeResponseAuthentication to yes.
Find and set the value of PasswordAuthentication to no, uncomment it if commented.

Add the below line at the bottom of the sshd_config file:
AuthenticationMethods publickey,keyboard-interactive
Save and Exit.

Restart the services fir the changes to take place.
service ssh restart

Thats All !
You have successfully completed the 2fa setup for ssh.


Cyber Security Professional • Offensive Infrastructure • Anime Addict • Love to Travel • Co-creater of rescure.fruxlabs.com •