Add SSH 2FA
Set up SSH 2FA with Google Authenticator
This article goes over installing google authenticator on an Ubuntu server to enable 2FA authentication when performing SSH.
Note: It's recommended that you try setting up 2FA on a test server first, so you are not locked out of your server in case something goes wrong. It's also important to fully test the authentication before going live since a misconfiguration could leave your server less secure.
Install Google Authenticator
Run the google-authenticator
command and follow the on-screen prompts
First, it will ask you about time-based tokens. Say y
to this question:
You will now see a big QR code on your screen, scan it with your Google Authenticator app to add it. You will also see your secret and a few backup codes looking like this:
Record the emergency scratch codes somewhere safe in case you need to log into the machine but don't have your 2FA app handy. Without the app, you will no longer be able to SSH into the machine!
Finally, it will ask you for some more parameters; the recommended defaults are as follows:
Configure OpenSSH
Add to bottom of pam sshd file
Update SSH
Make sure to have these settings enabled
Add to bottom of sshd_config
file
Restart SSH service
Disable Google Authenticator
These steps are not meant to be executed during server setup. These are meant as instructions in the event that you want to disable the Google Authenticator.
Comment these lines so it looks like this
Update SSH
Change AuthenticationMethods
to only allow publickey
Restart SSH service
Last updated