How to Enable Two-Factor Authentication for SSH Connection

By itself, SSH is already a secured way of connecting to a remote machine, but if you are still keen to add additional security to your SSH connection, you can add a two-factor authentication so you will be prompted to enter a random verification code when you connect via SSH. We have shown you how to do so in WordPress, LastPass, Facebook, Dropbox and Google. Here, we will show you how to add two-factor authentication to your SSH connection.

Note: This instruction here is based on Ubuntu server. If you are using another distro, some of the commands might vary.

On the machine that you want to install the two factor authentication, open a terminal session (if you have already logged into the remote machine, you are already in a terminal session). Type the following:

sudo apt-get install libpam-google-authenticator

To complete the installation, run:


You will be prompted with a series of question. In most situation, you can type “y” (yes) as the answer. Anytime you have got the settings wrong, you can type google-authenticator again to reset the settings.

  • Do you want authentication tokens to be time-based (y/n)

After this question, you should see your secret key and emergency code. Record and save the detail. You will need the secret key to setup the Google Authenticator app later.


  • Do you want me to update your “/home/username/.google_authenticator” file (y/n)
  • Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chance to notice or even prevent man-in-the-middle attacks (y/n)
  • By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)
  • If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n)

Configuring your SSH to use the Google Authenticator module

Open the pam.d/sshd file:

sudo nano /etc/pam.d/sshd

Add this line to the top of the file:

auth       required

Save (Ctrl + o) and exit (Ctrl + x) the file.

Next, open the sshd_config file

sudo nano /etc/ssh/sshd_config

Scroll down the list till you find the line:

ChallengeResponseAuthentication no

Change it to “yes”, so it becomes:

ChallengeResponseAuthentication yes

Save and exit the file.

Lastly, restart the ssh server:

sudo service ssh restart

Setting up new account in your Google Authenticator app

1. Open the Google Authenticator app in your smartphone. Press Menu and select “setup an account”.


2. Press “Enter key provided”.


3. Give your account a name and enter the secret key generated earlier.


Now when you connect via SSH to your remote computer, you will see the request for the verification key.


Note: The two-factor authentication only works for password-based login. If you are already using a public/private key for your SSH session, it will bypass the two-factor authentication and log you in directly.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox