Two-factor authentication (2FA) adds an extra layer of protection to your server by requiring not only your username and password but also a time-based one-time code generated on your mobile device. This makes brute-force attacks and unauthorized access much more difficult.

 

About Two-Factor Authentication

By default, SSH logins require only a username and password. With 2FA enabled, you’ll also need a temporary numeric code generated by an authenticator app (such as Google Authenticator or Authy). This ensures that even if your password is compromised, attackers cannot log in without your mobile device.

 

Prerequisites

  • Root access to your server.

  • SSH access enabled.

  • An authenticator app installed on your smartphone (Google Authenticator, Authy, Microsoft Authenticator, etc.).

 

Steps to Enable 2FA for SSH

Step 1: Disable Root Logins (Recommended)

For best security, disable direct root logins and create a normal user account with sudo privileges. (See our article on Disabling SSH logins for the root account for details.)

 

Step 2: Install Google Authenticator on the Server

Log in to your server via SSH as root and install the required package:

  • Debian/Ubuntu:

    Bash

apt-get install libpam-google-authenticator

  • AlmaLinux/Fedora:

    Bash

yum install google-authenticator
     

Step 3: Configure Google Authenticator

  1. While logged in as your non-root user, run:

    Bash

yum install google-authenticator

  2. Answer the prompts:

    • Time-based tokens?y

    • Update .google_authenticator file?y

    • Disallow multiple uses of the same token?y

    • Increase token validity window?n (default is more secure)

    • Enable rate-limiting?y

  3. A QR code and secret key will be displayed.

    • Scan the QR code with your authenticator app.

    • Save the emergency backup codes in a safe place.

 

Step 4: Update PAM and SSH Configuration

  1. Edit the PAM SSH file:

    Bash

nano /etc/pam.d/sshd

    Add this line at the top:

     
    Bash

auth required pam_google_authenticator.so nullok

  2. Edit the SSH configuration file:

    nano /etc/ssh/sshd_config

    Find and change:

    ChallengeResponseAuthentication yes

     

  3. Restart SSH:

    • Debian/Ubuntu:

      Bash

service ssh restart

    • AlmaLinux/Fedora:

      Bash

service sshd restart
       

Step 5: Test the Configuration

  • Open a new terminal and log in as your non-root user.

  • You should be prompted for:

    1. Verification code (from your authenticator app).

    2. Password (your user password).

Do not close your root session until you confirm the new login works.

 

Disabling 2FA for SSH

If you need to disable 2FA:

  1. Remove or comment out the pam_google_authenticator.so line in /etc/pam.d/sshd.

  2. Set ChallengeResponseAuthentication no in /etc/ssh/sshd_config.

  3. Restart the SSH service.

 
Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

Using SSHFS (Secure Shell Filesystem)

SSHFS (Secure Shell Filesystem) allows you to securely mount your Ruachost hosting account’s...
“Too Many Connections from This IP” error message in Ruachost.com

When connecting to your Ruachost hosting account via FTP, you may sometimes encounter the error...
FTP Accounts Do Not Work After FileZilla Upgrade

After upgrading FileZilla to version 3.10 or later, you may find that your FTP accounts no longer...
Keep SSH Connection Alive

When working on your server through SSH, you may sometimes experience dropped or unresponsive...
Transferring Files Using SCP (Secure Copy) in Ruachost

Secure Copy (SCP) is a secure and efficient way to transfer files between your local computer and...

Powered by WHMCompleteSolution