How to set up 2 step authentication for ssh on your Linux servers

If you have ssh enabled on your Linux servers, you should consider two-step authentication a requirement. Jack Wallen shows you how to set this up.

Image: Jack Wallen

Just because you rely on Linux as your server platforms, doesn't mean it's fail proof. There are still steps you can take to ensure your data is safe from prying eyes. One thing you should do is enable two-step authentication for secure shell. This means anyone attempting to get into your server via ssh will have to have both a password and a verification code. This is actually made fairly easy, thanks to the Google Authenticator. Let me walk you through the steps of setting this up.

I will demonstrate this on a Ubuntu-based server. If you're using another distribution, you'll need to modify the steps a bit in order for this to succeed.

Installing google-authenticator

You will be using the Android Google Authenticator to provide you with the necessary codes to log into your machine. In order for this to work, you have to install the google-authenticator on your server so it can interact with secure shell. Here's how:

  1. Log into your server
  2. Open up a terminal window
  3. Install the necessary dependencies with the command sudo apt-get install libpam0g-dev
  4. Install the tools for downloading and compiling the software with the command sudo apt-get install make gcc wget
  5. Download the google-authenticator source with the command wget
  6. Extract the downloaded file with the command tar xvfj libpam-google-authenticator-1.0-source.tar.bz2
  7. Change into the newly created directory with the command cd libpam-google-authenticator-1.0
  8. Compile the code with the command make
  9. Install the tool with the command sudo make install

Running google-authenticator

From the same terminal window, issue the command google-authenticator and walk through the wizard. This will ask you the following questions (answer "y" to all questions):

  • Do you want authentication tokens to be time-based (y/n) y
  • Do you want me to update your "/root/.google_authenticator" file (y/n) y
  • Do you want to disallow multiple uses of the same authenticationtoken? This restricts you to one login about every 30s, but it increasesyour chances to notice or even prevent man-in-the-middle attacks (y/n) y
  • By default, tokens are good for 30 seconds and in order to compensate forpossible time-skew between the client and the server, we allow an extratoken before and after the current time. If you experience problems with poortime synchronization, you can increase the window from its defaultsize of 1:30min to about 4min. Do you want to do so (y/n) y
  • If the computer that you are logging into isn't hardened against brute-forcelogin attempts, you can enable rate-limiting for the authentication module.By default, this limits attackers to no more than 3 login attempts every 30s.Do you want to enable rate-limiting (y/n) y

After you answer the first question, the tool will echo back your secret key and emergency scratch codes. You need to save these to another file for reference. Very important.

Configure SSH to use Google Authenticator and the PAM module

Now you have to configure SSH to use the new tools. First, let's enable the PAM module. To do this, issue the command sudo nano /etc/pam.d/sshd. With the file open, add the following line under Read environment variables from /etc/environment and:

auth required

Save that file and then open the file /etc/ssh/sshd_config. In this file, look for:

ChallengeResponseAuthentication no

and change it to:

ChallengeResponseAuthentication yes

Save that file and restart sshd with the command sudo service sshd restart.

Setup Google Authenticator app

Now it's time to set up the app on your Android device. Install the Google Authenticator and open it up. From the main screen, tap the Settings menu (three vertical dots in the upper right corner) and tap Set up account. In the new window, tap Enter provided key. Finally, go back to the information the google-authenticator presented you and get your secret key. That secret key is what you use to set up the account. In the Manual account entry screen (Figure A), give the entry a name, enter your secret key, select Time based from the drop-down, and tap Add.

Figure A

Figure A
Image: Jack Wallen

Setting up the new account on a Verizon-branded Nexus 6.

Logging in

It's time to log in. Go to another Linux box and, using the ssh command, log into the server. You should first be prompted for your user password. Once the password authenticates, you will then be asked for the verification code. To get the verification code, open the Google Authenticator app on your Android device, and enter the time-sensitive code displayed for the newly added server. Once you've entered a legitimate code, you will be given access to the server. If you don't have that code generated by the Google Authenticator, you will not be allowed in. Period.

If you're looking for a great way to secure your Linux machines from unwanted ssh logins, you can't beat two step authentication.

How do you harden ssh on your Linux boxes?

Also see


Jack Wallen is an award-winning writer for TechRepublic and He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website

Editor's Picks