Setup 2FA (Google authenticator) on Ubuntu SSH:

Note: even though on the server side what we installed is referred to as google authenticator.
Any other client app on you're smartphone that can scan the qr code and have a six digit output can work.
I tested with Internet Initiative Japan (IIJ) "Smart Key" app and it works for example.
  1. Install google authenticator server on Ubuntu by:
    sudo apt install libpam-google-authenticator
  2. Edit the /etc/pam.d/sshd config file and add this line:
    auth required pam_google_authenticator.so
    Save and close

  3. Edit the /etc/ssh/sshd_config file and add this line:
    #ChallengeResponceAuthentication no
    Change it to:
    ChallengeResponceAuthentication yes

  4. Restart ssh service:
    sudo systemctl restart ssh

  5. On you're users SSH session, run:
    google-authenticator
    Then follow the prompts as directed.
    You may have to make the ssh font smaller to have the qr code fit on your screen.

  6. Once set up restart ssh service gain and you should be able to log off then log back in and it will ask for you're 2FA code after the password or key file.
Date: March 23rd 2025 (as Durham College Cybersecurity INFT 1103 Lab 5)

Back