How to Enable Two-Factor Authentication for SSH Connection

By itself, SSH is already a secured way of connecting to a remote machine, but if you are still keen to add additional security to your SSH connection, you can add a two-factor authentication so you will be prompted to enter a random verification code when you connect via SSH. We have shown you how to do so in WordPress, LastPass, Facebook, Dropbox and Google. Here, we will show you how to add two-factor authentication to your SSH connection.

Note: This instruction here is based on Ubuntu server. If you are using another distro, some of the commands might vary.

On the machine that you want to install the two factor authentication, open a terminal session (if you have already logged into the remote machine, you are already in a terminal session). Type the following:

To complete the installation, run:

You will be prompted with a series of question. In most situation, you can type “y” (yes) as the answer. Anytime you have got the settings wrong, you can type google-authenticator again to reset the settings.

  • Do you want authentication tokens to be time-based (y/n)

After this question, you should see your secret key and emergency code. Record and save the detail. You will need the secret key to setup the Google Authenticator app later.


  • Do you want me to update your “/home/username/.google_authenticator” file (y/n)
  • Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chance to notice or even prevent man-in-the-middle attacks (y/n)
  • By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)
  • If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n)

Configuring your SSH to use the Google Authenticator module

Open the pam.d/sshd file:

Add this line to the top of the file:

Save (Ctrl + o) and exit (Ctrl + x) the file.

Next, open the sshd_config file

Scroll down the list till you find the line:

Change it to “yes”, so it becomes:

Save and exit the file.

Lastly, restart the ssh server:

Setting up new account in your Google Authenticator app

1. Open the Google Authenticator app in your smartphone. Press Menu and select “setup an account”.


2. Press “Enter key provided”.


3. Give your account a name and enter the secret key generated earlier.


Now when you connect via SSH to your remote computer, you will see the request for the verification key.


Note: The two-factor authentication only works for password-based login. If you are already using a public/private key for your SSH session, it will bypass the two-factor authentication and log you in directly.

Damien Damien

Damien Oh started writing tech articles since 2007 and has over 10 years of experience in the tech industry. He is proficient in Windows, Linux, Mac, Android and iOS, and worked as a part time WordPress Developer. He is currently the owner and Editor-in-Chief of Make Tech Easier.


  1. I’ve done this exact thing in the past. However, I’m wondering if it’s possible to use two factor auth when I log in graphically? That would be pretty great.

    (PS: I would have used the “connect with” option in leaving this comment but you wanted access to my Google contacts.)

    1. Which graphical SSH client are you using? I don’t think it will work unless the client supports it natively.

      Note: Google contacts is included by default. If we can remove it, we will definitely do it.

Comments are closed.