How to Setup Two-Factor Authentication (Google Authenticator) for SSH Logins

If you have any questions or problems regarding this article and want help within 24 Hours? Ask Now

Ravi Saive

Simple Word a Computer Geek and Linux Guru who loves to share tricks and tips on Internet. Most Of My Servers runs on Open Source Platform called Linux.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

Receive Your Free Complimentary eBook NOW! -

Download Free Linux eBooks

Advanced Bash-Scripting Guide
Linux Bible
A Newbie's Getting Started Guide to Linux
Ubuntu Linux Toolbox: 1000+ Commands

You may also like...

17 Responses

  1. Ken says:

    Hey Ravi, good guide, however I am having an issue with root account…I set this up to run on root and normal user, it runs OK with normal user, but not with root…I get the ‘validation code’ response for regular user, but only PW prompt for root, which it will not accept, even though root is allowed for ssh….wondering if you have any ideas on how to get this to work as root?

    Thanks
    Ken C.

  2. Andrew says:

    Hey, just checking in before I start implementing this in my environment – will this work in conjunction with SSH-key authentication, or do I have to be using password-based authentication to take advantage of 2FA?

  3. Alex says:

    Great guide, thanks!

    Do you know how to get this working with Shell-In-A-Box? It currently just prompts for a password as normal. Or do you know of a alternative to shell-in-a-box that can be used and works well with GA?

  4. Tom Woody says:

    Getting Google authenticator configured was easy enough, but is it possible to have a Verification request presented to every login attempt (valid user or not?). If i try to login with my own account, i get presented with verification code, works great. But if i try and login with a random account say ‘johndoe’ that isn’t on my server, it doesn’t prompt for Verification. By this its possible to identify valid accounts on a machine by which ones prompt for verification. Am i missing something?

    • Richard Whitcombe says:

      If you put the:

      auth required pam_google_authenticator.so nullok

      line AFTER the:

      @include common-auth

      in the pam.d config file then it’ll first ask for a password and ONLY if the password is correct will it then prompt for a verification code. If the user doesn’t exist or the password is incorrect it’ll perform the standard behaviour of keeping asking for a password so no valid username details can be derived.

      All this change does is tell it to ask after the password is authenticated rather than before.

      That should solve the problem.

  5. Ken says:

    This doesn’t really live up to two-factor. Since the Google factor can be produced with something I know (the secret key and the Account or just the QR code) and a commodity something I have or using GAuth, this seems to be just a second something I know factor. Two-factor usually means two different kinds of factors.

  6. Fabian Santiago says:

    Nope, doesn’t work for me either and I did follow all steps correctly. It just keeps asking for the password and then fails on it. Never asks for verification code……

  7. Greg says:

    Nice one

  8. kash says:

    I am trying to login with root user and I am getting access denied when I try to give the code that is given on my mobile and also it is not prompting for verification code

    Followed all the steps mentioned above.

    Dont understand where am I going wrong. plz help.

    • Ravi Saive says:

      Do you correctly added your secret key on the phone? or try to run again “google-authenticator” command and follow the steps thereon. Make sure you add correct secret key to get this work.

      • Trent says:

        Add another one here for “this NOT working.”

        It keeps asking for verification code and password over and over.

        I feel a new fail blog post coming on.

      • Trent says:

        And this is why it is failing. In the sshd log there is:

        “Auth sshd(pam_google_authenticator)[11838]Failed to read /root/.google_authenticator”

        The file is there and I even made it readable globally with chmod 777

        • Ravi Saive says:

          If SELinux enabled in your system, then you need to use proper configuration. The default SELinux rule doesn’t allow the SSH daemon to write or update the google_authenticator file. To do run the following command to fix it.

          # chcon -t ssh_home_t -R /root/.google_authenticator
          
  9. Stuart says:

    This looks very promising as it uses the authentication in addition instead of replacing the password. Would love to hear anybodys suggested security implications.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Join Over 80000+ Linux Users
  1. 53,676
  2. 2,838
  3. 20,639

Enter your email to get latest Linux Howto's