Tutorial
How To Protect SSH With Two-Factor Authentication
Status: Deprecated
This article is deprecated and no longer maintained.
Reason
This article duplicates more recent, accurate content.
See Instead
This article may still be useful as a reference, but may not work or follow best practices.
Please see How To Set Up Multi-Factor Authentication for SSH on Ubuntu 16.04 instead.
Introduction
To protect your SSH server with an two-factor authentication, you can use the Google Authenticator PAM module.
Every time you connect you have to enter the code from your smartphone.
Attention: If you activate the google-authenticator for a normal user but not for root you can’t login with the root user directly anymore. You will need to login as the new user first, then switch to the super user with the su command to get root.
Before you do anything on your VPS, install the Google Authenticator application, it is available for Android, iOS and BlackBerry. Install the App using the market or use your mobile browser to go to m.google.com/authenticator. After this connect to your VPS and switch to the root user.
Step One - Install Dependencies
sudo apt-get install libpam-google-authenticator
libqrencode3 will be installed automatically and will allow you to use the camera of your phone to scan the qr-code directly from the console.
Step Two - Edit the Configuration Files
To use the module you have to edit two configuration files.
nano /etc/pam.d/sshd
Add the following line on top of the file:
auth required pam_google_authenticator.so
One more file to edit:
nano /etc/ssh/sshd_config
Find and change the following line:
ChallengeResponseAuthentication yes
Step Three - Activate the Two-Factor Authentication For a User
You can activate the google-authenticator for the root user or any other user. Switch to the user who should use the two-factor authentication and type in:
google-authenticator
You will be prompted to answer a few questions; answer the first two questions with yes (y):
Do you want authentication tokens to be time-based (y/n) y
Do you want me to update your "/home/USERNAME/.google_authenticator" file (y/n) y
You can answer the next questions according to your needs.
You can use the Google Authenticator app to scan the qr-code, or add the account using the secret key and the verification code. Do not forget to print out the emergency scratch codes and store them in a safe place!
Now switch back to root and restart the SSH server. If you added the two-factor authentication for the root user you can skip the next step.
su root
Finally restart the SSH server.
/etc/init.d/ssh restart
That’s it! You should now have a SSH server with an two-factor authentication!
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
author
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.
All I did was password my SSH keys, disable non-key signing in and change the port to… Something.
I’ve followed the above steps but when I try to SSH now I am only asked for my password and not for my token. Entering my password gives me access denied and entering my PIN gives me access denied.
Any ideas on how to access my server now? Thanks
Same issue of @cheggers
This tutorial has been updated to use apt-get which should resolves issues with the installation. I would recommend returning the SSH config to the default one by logging in through the HTML5 console.
My issue was done to an error with my /etc/ssh/sshd_config. As suggested by Etel I logged in using the web console made the change and after a /etc/init.d/ssh restart It now works perfectly.
Working great…Thanks for the useful info…Digital ocean rocks…
How does this work on FreeBSD?
How to setup individual 2 factor authentication for each user on the server?
@abishek: Simply follow Step 3 for each user that you want to set up 2FA for.
some how this locked me right out my server:
Access denied Using keyboard-interactive authentication.