Setting up SSH With Two-Factor Authentication


A simple way to protect your SSH Server using a two-factor authentication is using Google Authenticator PAM module.


Note that procedure below is applicable for Debian and Ubuntu OS

1. Install Dependencies: – You can login as root or a super user and invoke

$ apt-get install libpam-google-authenticator
root@bastionsg:~# apt-get install libpam-google-authenticator
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
The following NEW packages will be installed:
libpam-google-authenticator libqrencode3
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 65.8 kB of archives.
After this operation, 216 kB of additional disk space will be used.

Do you want to continue? [Y/n] Y
Get:1 jessie/main libqrencode3 amd64 3.4.3-1 [33.8 kB]
Get:2 jessie/main libpam-google-authenticator amd64 20130529-2 [32.1 kB]
Fetched 65.8 kB in 0s (79.6 kB/s)
Selecting previously unselected package libqrencode3:amd64.
(Reading database ... 149501 files and directories currently installed.)
Preparing to unpack .../libqrencode3_3.4.3-1_amd64.deb ...
Unpacking libqrencode3:amd64 (3.4.3-1) ...
Selecting previously unselected package libpam-google-authenticator.
Preparing to unpack .../libpam-google-authenticator_20130529-2_amd64.deb ...
Unpacking libpam-google-authenticator (20130529-2) ...
Processing triggers for man-db ( ...
Setting up libqrencode3:amd64 (3.4.3-1) ...
Setting up libpam-google-authenticator (20130529-2) ...
Processing triggers for libc-bin (2.19-18+deb8u4) ...

2. Edit the configuration (sshd and the sshd_config) files

For sshd:

$ nano /etc/pam.d/sshd

Add this line on top of the file:

auth required

For sshd_config

$ nano /etc/ssh/sshd_config

Find and change the following line:

ChallengeResponseAuthentication yes

 ACTIVATE the TWO-FACTOR Authentication for a User

Switch to the user who should use the two-factor authentication and type in:


You will be prompted to answer a few questions; Just answer all the questions with yes (y): Or depends on your preferred setup.

burnz@bastionsg:~$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y|0&cht=qr&chl=otpauth://totp/burnz@bastionsg%3Fsecret&8667677JSHKF

Do you want me to update your "/home/burnz/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

To use your mobile Google Authenticator Apps simply scan the bar code from the link it creates

Finally restart the SSH server.

burnz@bastionsg:~$ sudo /etc/init.d/ssh restart

Try to remote login to the server via SSH and verify that its working fine.

login as: burnz
Using keyboard-interactive authentication.
Password:           # This is where the default password of the user
Using keyboard-interactive authentication.
Verification code:        # This is where the code from your mobile google authenticator

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Wed Apr 27 15:07:37 2016 from
burnz@bastionsg:~$             # Shows that you are successfully logged in

Adding the two-factor for sudo

Modify the config file  /etc/pam.d/sudo

root@bastionsg:~# nano /etc/pam.d/sudo

and should have:

@include common-auth
auth required

@include common-account
@include common-session-noninteractive

Then restart the ssh service

root@bastionsg:~# /etc/init.d/ssh restart
[ ok ] Restarting ssh (via systemctl): ssh.service.
Spread the love

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.