This is an old revision of the document!
setup 2FA with google authenticator for SSH
setting up two factor authentication for ssh with google authenticator is actually very simple. here is how it can be done in just a few steps on ubuntu:
do this as root or use sudo
apt install libpam-google-authenticator echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
now run this for each user to create the google authenticator key for each user:
google-authenticator
you will be asked a couple of questions, answer them as you please, they are well explained.
the google-authenticator script will show a large QR code.. scan this code with the google authenticator app on your smartphone to set up your key.
now finally restart the sshd service as root
systemctl restart sshd
from now on you should be asked for your OTP once you have successfully entered your password. Note that this authentication is bypassed when using a private key authentication.
Users that haven't configured google authenticator yet won't be able to login anymore until they have done the google authenticator config.