SSH is one of the most popular ways to control your Raspberry Pi from your laptop or PC. Here you’ll learn how to set up two-factor authentication for your SSH access to Raspberry Pi and add an extra layer of security to it.
Note: If you are using SSH key-file to access your Raspberry Pi, the two-factor authentication won’t be in use.
Update your Pi
Assuming you have already set up your Raspberry Pi with Raspberry Pi OS, it’s best to first check that all your software is up to date. Open a terminal and type the following command:
sudo apt update && sudo apt -y upgrade
Raspberry Pi OS has the SSH server disabled by default. Before you can connect to your Pi via SSH, you need to enable it by running the following Terminal commands:
sudo systemctl enable ssh sudo systemctl start ssh
You’ll can now connect to the SSH server.
Require identify authentication, with challenge-response
Ultimately, your Raspberry Pi needs to challenge you to authenticate your identity and then process your response, which means you need to enable challenge-response passwords.
To start, open the SSH config file for editing by running the following Terminal command:
sudo nano /etc/ssh/sshd_config
Within this file, find the
ChallengeResponseAuthentication section and change it from “no” to “yes.”
You can now save the updated “sshd_config” file by pressing Ctrl + O, followed by Ctrl + X.
Back in the Terminal, restart the SSH daemon with your new configuration:
sudo systemctl restart ssh
Since changes have been made to the SSH configuration, it’s a good idea to check that you can still connect to your Raspberry Pi over SSH.
To connect to the SSH server, you’ll need to know the IP address of your Raspberry Pi. If you don’t already have this information, then run the following command on your Pi:
This will return the IP address you need to use.
Switch over to your laptop or computer, launch a Terminal and then connect to your Raspberry Pi, being sure to replace “10.3.000.0” with your unique IP address:
You are now connected over SSH.
Setting Up Two-Factor Authentication
Next, download the Authenticator application for the generation of the one-time authentication code. There are various authentication apps on the market, but I’m using Google Authenticator for this tutorial, which is available for both iOS and Android.
Once you’ve downloaded this mobile application, you’ll also need to install the Google Authenticator PAM module on your Raspberry Pi.
On your Pi, open a Terminal window and run the following command:
sudo apt install libpam-google-authenticator
Once Google Authenticator is installed on both your Raspberry Pi and your mobile device, you’re ready to set up two-factor authentication.
Create a connection: linking your Pi to your mobile device
To create a link between your mobile application and your Raspberry Pi, generate a QR code on your Pi and then scan this code using your smartphone or tablet.
To generate the QR code, switch back to your Raspberry Pi and run the following Terminal command:
Your Raspberry Pi will ask whether its authentication tokens should be time-restricted. Since it’s more secure, you typically want to generate time-based authentication tokens unless you have a specific reason not to.
The Terminal will generate a QR code, although you may need to resize the Terminal in order to see the full barcode.
There is also a series of emergency codes. If you ever lose, misplace or break your mobile device, these codes will allow you to access your Raspberry Pi over SSH, even without your mobile device. Don’t risk getting locked out of your Raspberry Pi. Make a note of these codes and store them somewhere safe.
Use this QR code to connect your Raspberry Pi to the Google Authenticator app:
1. On your smartphone or tablet, launch the Google Authenticator app.
2. In the bottom-right corner, tap the “+” sign.
3. Select “Scan a QR barcode.” When prompted, grant the app permission to access your device’s camera.
4. Hold your device’s camera up to your monitor and position it over the QR code. As soon as your smartphone or tablet recognizes the QR code, it’ll create an account and start generating authentication codes automatically.
5. Switch back to your Raspberry Pi; the Terminal will prompt you to update your “google_authenticator” file. Press the Y key on your keyboard.
6. You’ll be asked whether you want to prevent multiple people from using the same authentication token. Press the Y key on your keyboard.
7. When asked whether you want to increase the time skew window, press N, as this will help protect you against brute-force attacks.
8. The Terminal will now ask you to enable rate-limiting, which will restrict you (and potential hackers!) to three login attempts every 30 seconds. Rate-limiting can help protect you against brute-force and other password-based attacks, so you should opt for “Yes” unless you have a specific reason not to.
Linux Pluggable Authentication Modules
Finally, you need to enable two-factor authentication to your Raspberry Pi using the Linux Pluggable Authentication Modules (PAM).
To start, open the “sshd” file in the Nano text editor:
sudo nano /etc/pam.d/sshd
Add the following line:
auth required pam_google_authenticator.so
However, where you add the following line matters:
1. After entering your password
If you want to be prompted for a one-time authentication code after entering your Raspberry Pi’s password, then add this line after
2. Before entering your password
If you want to be prompted for your one-time authentication code before entering your password, add this line before
Once you’ve made these changes, save your file by pressing Ctrl + O, followed by Ctrl + X.
Restart the SSH daemon:
sudo systemctl restart ssh
Now every time you try to connect over SSH, you’ll be asked for a one-time verification code.
Now that you have set up two-factor authentication on your Raspberry Pi, you can proceed to set up your personal web server or a music server. You can also further increase the security of your SSH with these tricks.
Our latest tutorials delivered straight to your inbox