All Linux HowTo's Security HowTo's

2FA with SSH on Ubuntu | Google Authenticator

This article walks you through the process of enforcing 2FA on Ubuntu using the Google Authenticator.

All of these steps are completed on the system that you want 2FA to be enforced on.
Important notes:

* SSH key-based logins bypass the 2FA component of the login verification process.
* Users without the google-authenticator configured will not be able to login (except with a key).

Install the required packages:

sudo apt update
sudo apt upgrade
sudo apt install libpam-google-authenticator

Add a new line to the “/etc/pam.d/sshd” file:

sudo echo "auth required" >> /etc/pam.d/sshd

Edit the “/etc/ssh/sshd_config” file and replace this:

ChallengeResponseAuthentication no
with this:
ChallengeResponseAuthentication yes

Restart SSH:

sudo systemctl restart sshd.service

Complete the remainder as the user on the remote system that you want to login as.

Execute the following command:


This is where it gets very cool. My advice is to make your terminal window large. The above command will present a QR code in text form. It can be large.

Scan the QR code like you would with any such system, adding a new entry to your Google Authenticator app.

The following responses are sensible. The above command “google-authenticator” takes you through a wizard. I’ve answered as follows :

Do you want authentication tokens to be time-based (y/n) y
Do you want me to update your "/root/.google_authenticator" file? (y/n) y
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
Do you want to do so? (y/n) n
Do you want to enable rate-limiting? (y/n) y

This article is largely based on the work at “”, “” and “”.

Similar Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.