Security

2FA for SSH with Google Authenticator

How to enable two-factor authentication for SSH on Linux using Google Authenticator or Authy

2FA adds a second layer of security: even if someone gets your SSH password, they can't access without the OTP code.

Before applying this configuration, open a second separate SSH session so you can recover if there are errors. Don't close your current session until you've verified it works.

Installation

sudo apt update
sudo apt install libpam-google-authenticator -y

User Configuration

Run this command as the user you want to protect (e.g., root or your user):

google-authenticator

Answer the questions:

  • Do you want authentication tokens to be time-based?y
  • Scan the QR code with Google Authenticator, Authy, or any TOTP app
  • Do you want me to update your "~/.google_authenticator" file?y
  • Do you want to disallow multiple uses of the same token?y
  • By default, tokens are good for 30 seconds...n (or y if you have synchronization issues)
  • Do you want to enable rate-limiting?y

Save the emergency scratch codes in a safe place. They allow you to access if you lose your phone.

PAM Configuration

sudo nano /etc/pam.d/sshd

Add this line at the top of the file:

auth required pam_google_authenticator.so

SSH Configuration

sudo nano /etc/ssh/sshd_config

Modify or add these lines:

# Enable challenge/response (necessary for 2FA)
ChallengeResponseAuthentication yes
# Or in recent OpenSSH versions:
KbdInteractiveAuthentication yes

# Accepted authentication methods
AuthenticationMethods publickey,keyboard-interactive
# This requires SSH key FIRST, then OTP code
# To require only password + OTP (less secure):
# AuthenticationMethods keyboard-interactive
sudo systemctl restart ssh

Verification

Open a new SSH session (don't close the current one):

ssh root@185.100.xxx.xxx

You should see:

Verification code:        ← enter OTP code from app
root@185.100.xxx.xxx:~#

Configure 2FA for Specific Users Only

To apply 2FA only to certain users (not all):

sudo nano /etc/ssh/sshd_config
# Require 2FA only for user "admin"
Match User admin
    AuthenticationMethods publickey,keyboard-interactive

2FA with SSH Key (Most Secure Flow)

The recommended flow is: SSH key + OTP code:

  1. User presents SSH key → authenticated
  2. User enters OTP code → authenticated
AuthenticationMethods publickey,keyboard-interactive

This makes unauthorized access practically impossible.

Add 2FA to a New User

Each user must run google-authenticator with their own account:

# As regular user
su - regularuser
google-authenticator

Temporarily Disable 2FA

In case of emergency (e.g., lost phone):

# Access via VNC Console (VirtFusion panel)
# Comment out the PAM line
sudo sed -i 's/^auth required pam_google_authenticator.so/#auth required pam_google_authenticator.so/' /etc/pam.d/sshd
sudo systemctl restart ssh

Then reconfigure when you regain access.

  • Google Authenticator (Android/iOS)
  • Authy (Android/iOS/Desktop: recommended for backup)
  • Bitwarden Authenticator (open source)
  • andOTP (Android, open source)

Automatic Security Updates

How to configure automatic security updates on Debian, Ubuntu and CentOS

IP Whitelist: Block Everything Except Your IP

How to limit SSH or RDP access to a single IP with iptables/ipset, with warnings about access loss

On this page

InstallationUser ConfigurationPAM ConfigurationSSH ConfigurationVerificationConfigure 2FA for Specific Users Only2FA with SSH Key (Most Secure Flow)Add 2FA to a New UserTemporarily Disable 2FARecommended TOTP Apps