Differences

This shows you the differences between two versions of the page.

--- setup_2fa_with_google_authenticator_for_ssh [06.08.2021 20:22] – Pascal Suter
+++ setup_2fa_with_google_authenticator_for_ssh [09.12.2025 16:47] (current) – [ssh key authentication] Pascal Suter
@@ Line 6: / Line 6: @@
 apt install libpam-google-authenticator
 echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
-sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
+echo "KbdInteractiveAuthentication yes" >> /etc/ssh/sshd_config.d/10-KbdInteractiveAuth.conf
 </code>
 now run this for each user to create the google authenticator key for each user:
@@ Line 24: / Line 24: @@
 now if you use ssh key authentication you won't be asked for your second factor anymore. if you don't like that, you can do the following to force a three factor authentication, where you need to have an authorized private key + password + google authenticator code:
-edit ''/etc/pam.d/sshd'' and change the google authenticator line from ''required'' to ''sufficient'':
+make sure these options are sett as follows in your ''/etc/ssh/sshd_conf'' file:
-  auth sufficient pam_google_authenticator.so
-now make sure these options are sett as follows in your ''/etc/ssh/sshd_conf'' file:
 <code>
-ChallengeResponseAuthentication yes
+KbdInteractiveAuthentication yes
 UsePAM yes
-AuthenticationMethods publickey,keyboard-interactive
+AuthenticationMethods publickey,password publickey,keyboard-interactive
 PasswordAuthentication no
 </code>