How to setup SSH Two Factor Authentication?

How to setup SSH Two Factor Authentication?

SSH hardening is a better way to prevent unauthorized access to your server, now a day security is a major concern for Server owners. There are so many Brute forcing attempts per minute to your server via SSH. So, securing the server is a must and good way to prevent hacking attempts via backend. There are many ways to secure SSH access to your servers, one of them is Two-Factor Authentication. Here, whenever you try to access your server, there will be an extra prompt for Google Authenticator verification code, you need to type this correctly for secure access to the server via SSH.

The Google Authenticator will give an extra layer of protection by generating TOTP (Time based One Time Passwords) on your smartphone which you need to enter while login to the server via SSH. In this tutorial, I’m discussing the steps to enable Two-Factor Authentication for SSH access. Let’s begin the steps:

Before proceeding with the process, let’s update system to the latest by running below command:

# yum -y update


The next step would be installing the pam-devel package on your server to set authentication policies without recompiling other packages that handle authentications.

# yum -y install pam-devel


Also, make sure to install NTPD service because of TOTP security tokens are time sensitive and make it run at the time of booting:

# yum -y install ntp

# service ntpd start

# chkconfig ntpd on


The next step would be installing Google Authenticator on the server from EPEL repository. Running below command will help you with this task:

# yum -y install google-authenticator


Once the Google Authenticator installed, run below command to configure this on your server and answer each question:

# google-authenticator


Let’s have a look at the questions while configuring Google Authenticator, note that type y for Yes and n for NO.

Do you want authentication tokens to be time-based (y/n) y

This will generate QRcode, Secret key (Save it in a safe place), Emergency scratch codes, etc.

Do you want me to update your “/root/.google_authenticator” file (y/n) y

The Yes means the above-generated codes will store to /root/.google_authenticator file.

Do you want to disallow multiple uses of the same authentication

token? This restricts you to one login about every 30s, but it increases

your chances to notice or even prevent man-in-the-middle attacks (y/n) y

Here Yes means you are preventing replay attacks by making each code will auto expire after the use.

By default, tokens are good for 30 seconds and in order to compensate for

possible time-skew between the client and the server, we allow an extra

token before and after the current time. If you experience problems with poor

time synchronization, you can increase the window from its default

size of 1:30min to about 4min. Do you want to do so (y/n) n

Here No means, limit the verification code to 3 in a 1:30 minute rolling window. The No answer is the most secure in this choice.

If the computer that you are logging into isn’t hardened against brute-force

login attempts, you can enable rate-limiting for the authentication module.

By default, this limits attackers to no more than 3 login attempts every 30s.

Do you want to enable rate-limiting (y/n) y

This means an attacker can only attempt few of guesses before getting blocked by server firewall.


The generated QR code on above first question needs to be scan on Google Authenticator software on your Smartphone. A new verification code will generate randomly at every 30 seconds.


The next steps should be enabling Google Authentication for SSH logins, for that edit PAM configuration file at “/etc/pam.d/sshd” and add the below entry and save.

auth       required


Once it is done, open SSHD configuration file and make the below changes:

ChallengeResponseAuthentication yes


Once it is done, restart the SSHD service by below command:

# service sshd restart

From now on, there will be an extra prompt for Verification code while login via SSH, here enter the verification code generated by the Google Authentication software on your smartphone to access server.

@sh:~$ ssh -l root xxx.xx.xx.xx


Verification code:

If you need any further help please do reach our support department.

  • 0

Install Wine on Linux Distribution

Install Wine on Linux Distribution In this tutorial, we can check how to Install Wine on Linux...

Install Apache Tomcat on Ubuntu 18.04

Install Apache Tomcat on Ubuntu 18.04 The Apache Tomcat is a free, open-source Java-based web...

How to Install and Setup Angular CLI

How to Install and Setup Angular CLIAngular is an open-source framework for your web...

How to Install Jenkins on CentOS and Ubuntu Server?

How to Install Jenkins on CentOS and Ubuntu Server? Jenkins is a free and open-source automation...

Setup ILIAS LMS on Ubuntu 18.04/16.04 with Nginx

ILIAS is an Open-Source Learning Management System. ILIAS LMS offers to develop and realizing...