Linux 2FA SSH
Enabling Two-Factor Authentication (2FA) for SSH on your Linux server enhances security by requiring both a password (or SSH key) and a One-Time Password (OTP) generated by an authentication app. This post will walk you through setting up Google Authenticator for SSH on a Linux server.
Install Google Authenticator
On Debian/Ubuntu:
sudo apt update
sudo apt install libpam-google-authenticator -y
On RHEL/CentOS/Rocky/AlmaLinux:
sudo dnf install epel-release -y
sudo dnf install google-authenticator -y
Generate 2FA Keys for a User
Each user must generate their own unique OTP secret key.
Run the following command for the user account you want to enable 2FA on:
google-authenticator
You’ll be prompted with several questions:
- Do you want authentication tokens to be time-based (y/n)? → Type y (recommended)
- A (huge) QR code and secret key will be displayed in the terminal.
- Scan the QR code with an authenticator app (Google Authenticator, FreeOTP, 2FAS, etc.).
- If you cannot scan, manually enter the secret key into the app.
- A list of backup codes will be presented. Save the backup codes somewhere secure.
- Do you want to update your
~/.google_authenticatorfile? → Type y - Disallow multiple uses of the same token? → Type y
- Increase time skew tolerance? → Type y
- Enable rate limiting (3 attempts every 30s)? → Type y
At this point, the OTP generator is set up for the user.
Configure SSH to Use Google Authenticator
-
Edit PAM Configuration
Modify PAM settings to enable Google Authenticator for SSH.
Open the PAM SSH authentication file:
sudo vi /etc/pam.d/sshdAdd the following line at the end:
auth required pam_google_authenticator.soSave and exit.
-
Configure SSH Daemon
Edit the SSH configuration file:
sudo vi /etc/ssh/sshd_configModify (or add) the following lines:
ChallengeResponseAuthentication yes
UsePAM yesIf using password & OTP add this line to the bottom of the file:
AuthenticationMethods publickey,passwordThis ensures that SSH supports both password-based login and OTP authentication.
If using SSH key authentication & OTP, add this line to the bottom of the file:
AuthenticationMethods publickey,keyboard-interactiveThis ensures SSH keys work alongside 2FA.
Save and exit.
Restart SSH Service
sudo systemctl restart sshd
Check the status:
sudo systemctl status sshd
Test SSH 2FA Login
Try logging into the server from another terminal:
ssh user@server_ip
- Enter your password (if applicable)
- Enter the OTP code from the Google Authenticator app
If the authentication succeeds, 2FA is working correctly.
Enforce 2FA for All Users (Optional)
To enforce 2FA for all users, remove password-only authentication by modifying:
sudo vi /etc/ssh/sshd_config
Set:
PasswordAuthentication no
Then restart SSH:
sudo systemctl restart sshd
Warning: Ensure that at least one user has SSH key access before disabling password authentication!
Configure Firewall (If Necessary)
If you are using UFW (on Ubuntu/Debian):
sudo ufw allow OpenSSH
sudo ufw enable
For firewalld (on RHEL-based systems):
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload
(Optional) Disable Root SSH Login
For security reasons, disable root SSH login:
sudo vi /etc/ssh/sshd_config
Set:
PermitRootLogin no
Restart SSH:
sudo systemctl restart sshd
At this point, you should have SSH setup to use 2FA along with an SSH key. Additionally, we have disabled root logins and configured the firewall if necessary. This must be configured for each user on the host to maintain security of the host.