Prerequisites

Before you begin, make sure you have:

1. Administrative (sudo) access to your Linux machine
2. SSH key authentication is already configured and working
3. A smartphone with an authenticator app installed (Google Authenticator, Authy, FreeOTP, or 2FAS)
4. For Almalinux/CentOS: EPEL repository enabled

Install Google Authenticator

First, you need to install the Google Authenticator package on your server:

For Ubuntu/Debian:

$ sudo apt update
$ sudo apt install libpam-google-authenticator -y

For Almalinux/CentOS:

$ sudo dnf install epel-release -y
$ sudo dnf install google-authenticator -y

Generate Your 2FA Keys

1. Run the following command as the USER you want to enable 2FA for:

$ google-authenticator 

   
2. Answer the questions that appear:
   - "Do you want authentication tokens to be time-based?" → Type `y`
   - You'll see a QR code and a secret key on your screen
   - Scan the QR code with your authenticator app (Google Authenticator, FreeOTP, 2FAS, etc.)
   - Write down the backup codes somewhere safe
   - "Do you want to update your ~/.google_authenticator file?" → Type `y`

   - "Disallow multiple uses of the same token?" → Type `y`
   - "Increase time skew tolerance?" → Type `n`
   - "Enable rate limiting?" → Type `y`

Configure SSH to Use 2FA

1. Comment out the common-auth line in the PAM SSH configuration file:

$ sudo sed -i 's/^@include common-auth/#@include common-auth/' /etc/pam.d/sshd

2. Add the Google Authenticator PAM module to the end of the file:

$ echo "auth required pam_google_authenticator.so" | sudo tee -a /etc/pam.d/sshd

3. Configure the SSH daemon to enable PAM and keyboard-interactive authentication:

$ sudo sed -i 's/^#\?UsePAM.*/UsePAM yes/' /etc/ssh/sshd_config
$ sudo sed -i 's/^#\?KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/' /etc/ssh/sshd_config

Note: For Ubuntu versions before 22.04, use this command instead:

$ sudo sed -i 's/^#\?ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config

4. Configure SSH to require both SSH key and 2FA:

$ echo "AuthenticationMethods publickey,keyboard-interactive" | sudo tee -a /etc/ssh/sshd_config

Restart SSH Service

Restart the SSH service to apply the changes:

$ sudo systemctl restart ssh

Replace "ssh" with "sshd" if the above fails.

Test Your 2FA Setup

1. Open a new terminal window (don't close your current session yet)
2. Try to log in to your server:

$ ssh user@your_server_ip

3. You should be prompted for your SSH key passphrase (if you set one) and then for the verification code from your authenticator app.

Recovery Options

If you lose access to your authenticator app, you can:

1. Use one of your backup codes (that you saved earlier)
2. Contact Webdock Support for us to assist

Conclusion

That's it! Your SSH login is now protected with both your SSH key and a time-based one-time password.

Contact Webdock Support if you face issues and need assistance.

This article was written by Webdock Support Specialist Taufiq Zainal. Taufiq is passionate about Cloud Hosting and helping Webdock Customers succeed wherever he can.