Enabling Two-Factor Authentication for SSH

Two-factor authentication (2FA) adds an extra layer of protection to your server by requiring not only your username and password but also a time-based one-time code generated on your mobile device. This makes brute-force attacks and unauthorized access much more difficult.

About Two-Factor Authentication

By default, SSH logins require only a username and password. With 2FA enabled, you’ll also need a temporary numeric code generated by an authenticator app (such as Google Authenticator or Authy). This ensures that even if your password is compromised, attackers cannot log in without your mobile device.

Prerequisites

• Root access to your server.

• SSH access enabled.

• An authenticator app installed on your smartphone (Google Authenticator, Authy, Microsoft Authenticator, etc.).

Steps to Enable 2FA for SSH

Step 1: Disable Root Logins (Recommended)

For best security, disable direct root logins and create a normal user account with sudo privileges. (See our article on Disabling SSH logins for the root account for details.)

Step 2: Install Google Authenticator on the Server

Log in to your server via SSH as root and install the required package:

• Debian/Ubuntu:

  Bash
  
  apt-get install libpam-google-authenticator
  

• AlmaLinux/Fedora:

  Bash
  
  yum install google-authenticator
  

   

Step 3: Configure Google Authenticator

1. While logged in as your non-root user, run:

   Bash
   
   yum install google-authenticator
   

2. Answer the prompts:

   • Time-based tokens? → y

   • Update .google_authenticator file? → y

   • Disallow multiple uses of the same token? → y

   • Increase token validity window? → n (default is more secure)

   • Enable rate-limiting? → y

3. A QR code and secret key will be displayed.

   • Scan the QR code with your authenticator app.

   • Save the emergency backup codes in a safe place.

Step 4: Update PAM and SSH Configuration

1. Edit the PAM SSH file:

   Bash
   
   nano /etc/pam.d/sshd
   

   Add this line at the top:

    

   Bash
   
   auth required pam_google_authenticator.so nullok
   

2. Edit the SSH configuration file:

   nano /etc/ssh/sshd_config
   

   Find and change:

   ChallengeResponseAuthentication yes
   

3. Restart SSH:

   • Debian/Ubuntu:

     Bash
     
     service ssh restart
     

   • AlmaLinux/Fedora:

     Bash
     
     service sshd restart
     

      

Step 5: Test the Configuration

• Open a new terminal and log in as your non-root user.

• You should be prompted for:

  1. Verification code (from your authenticator app).

  2. Password (your user password).

Do not close your root session until you confirm the new login works.

Disabling 2FA for SSH

If you need to disable 2FA:

1. Remove or comment out the pam_google_authenticator.so line in /etc/pam.d/sshd.

2. Set ChallengeResponseAuthentication no in /etc/ssh/sshd_config.

3. Restart the SSH service.