Guides - HOWTO: Setup 2FA on SSH connections. |

Guides HOWTO: Setup 2FA on SSH connections.

  • Stop using Chrome! Download the Brave Browser via >>> []
    It's a forked version of Chrome with native ad-blockers and Google's spyware stripped out! Download for Mac, Windows, Android, and Linux!
Welcome to the
Serving the Community since 2016!
Register Now


Original poster
Mar 10, 2019
This guide assumes that you already have Public Key Pair authentication setup on your server. In short, this allows you to SSH into your server without using a password. If you do not have this pre-requisite, please follow this guide by @MrDoob.

2FA Authentication on your server might seem unnecessary, but can be a very important to maintain the security of your server in case your computer or other devices you own with your public key pair get breached. Assuming you don't have a password on your key pair, this will leave your server exposed to the attacker who now has the golden key to your server. But with 2FA, this is not the case! In short, 2FA adds another layer of security to your Linux-based machine, forcing you to use a physical device to authenticate with your server.

To begin with, we will need a 2FA client on our mobile device. Personally, I use Google Authenticator although there are many other applications like Authy for example which will suffice just fine. This tutorial will take place on a Ubuntu 16.04 LTS system, which is advisable for your PGBlitz install. As with the PGBlitz installer, I recommend that you use a sudo user as this will ensure that permissions are set right for PGBlitz, and this tutorial will be using a sudo user in comparison to the root user.

1. Installing updates and the libpam-google-authenticator package:

Before we install the package, it is crucial to update our system. This can be done with:

sudo apt-get update -y && sudo apt-get dist-upgrade -y

Now, to install the package we need to do the following command:

sudo apt-get install libpam-google-authenticator -y

That's it, seriously.
Hopefully you see something like this:


2. Generate our 2FA config

To do this, we can just run the following command on our system and answer the corresponding questions:


It will prompt us with the following question: "Do you want authentication tokens to be time-based (y/n)". We need to press y as this will create the actual 2FA configuration for us to use.

Next, it will display to us our QR code in which we need to scan on our phone to get the OTP-based codes we will use for authentication. It will also produce a couple of emergency codes in which we can use in case we loose our 2FA authorization methods. Keep these safe and out of anyone's hands.

The command will further prompt us with more options, the only one we must input y on is "Do you want me to update your "/home/user/.google_authenticator" file (y/n)". The rest of the questions which get prompted are down to your choice on how you want it setup. The most important part is the two questions which I eluded too above.

3. Configurating it for authentication when logging in

We need to append the following line to /etc/pam.d/sshd

auth required

Next, run the following:

sudo systemctl restart sshd.service

Finally, we need to change the following in

ChallengeResponseAuthentication no to ChallengeResponseAuthentication yes

We also need to add this line to the bottom of our config file:

AuthenticationMethods publickey,password publickey,keyboard-interactive

That's it! Now just restart the SSH service and we are good to go!

sudo service ssh restart

(Extra)4. Securing our login

We should make sure that root user account login is disabled on our server. This can be done by changing the following in /etc/ssh/sshd_config

PermitRootLogin to no

Furthermore, we should disable password login. This can be done in the same configuration file.

PasswordAuthentication to no

Finally, we should change the port for our SSH connection. Once more, this can be done in the same configuration file. The port can range from 0 - 65535, although some ports (ex. 1194 or 443) will be in use on your system so make sure to change it to something that will NOT be in use.

For reference if you are using command line to SSH into your server in comparison to Putty which has a GUI, for example, use the -p parameter on your SSH to connect with a custom port. (Example, [ssh [email protected] -p 29103] where 29103 is your port).

That's all to it! Enjoy your newely-secured server :)
  • Love
  • Like
Reactions: 1 users


Project Manager
Jan 17, 2018
This is an awesome guide! Great share!
  • Like
Reactions: 1 user


Jan 10, 2019
Does this push to your device, Like when logging into webmail?
I have DUO 2fa setup for this but might move to google?


Original poster
Mar 10, 2019
Does this push to your device, Like when logging into webmail?
I have DUO 2fa setup for this but might move to google?
This is just for when logging into your Linux box. It can be extended to running anything under sudo, although I didn't include it in this tutorial. Thus meaning that it wouldn't be applicable for that use, afaik

Recommend NewsGroups

      Up To a 58% Discount!