Setting Up Two-Factor Authentication on a Linux SSH Server

Setting Up Two-Factor Authentication on a Linux SSH Server

As cyber threats continue to evolve, securing your Linux SSH server with Two-Factor Authentication (2FA) is more important than ever. This comprehensive guide will take you through the process of setting up 2FA using Google Authenticator, providing an additional layer of security to your server’s login process.

Understanding Two-Factor Authentication

Two-Factor Authentication (2FA) enhances security by requiring two forms of identification from the user: something they know (a password) and something they have (a mobile device app generating one-time codes). This method significantly reduces the risk of unauthorized access.


Before starting, ensure you have:

  • A Linux server with SSH access.
  • Root or sudo privileges on the server.
  • A terminal/command line interface on your local machine for SSH access.

Step 1: Installing Google Authenticator

Google Authenticator will generate the 2FA codes. Install it on your server with:

sudo apt-get update && sudo apt-get install libpam-google-authenticator

Step 2: Configuring SSH for 2FA

Modify the SSH configuration to incorporate 2FA:

sudo nano /etc/ssh/sshd_config

Ensure these lines are present and uncommented:

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,password publickey,keyboard-interactive

Restart SSH to apply changes:

sudo systemctl restart sshd

Step 3: User Configuration

Each user must generate a 2FA secret key:


Follow the prompts and securely store the provided emergency codes.

Step 4: Testing 2FA

Test the setup by SSH-ing into your server and completing the 2FA challenge.

Enhancing Security Further

Consider the following additional steps to further secure your SSH server:

  • Disable root login over SSH.
  • Use SSH keys instead of passwords for authentication.
  • Change the default SSH port to reduce the risk of automated attacks.

Frequently Asked Questions (FAQs)

  • Can I use another app instead of Google Authenticator?
    Yes, any app supporting TOTP algorithms, like Authy or Microsoft Authenticator, can be used.
  • What if I lose my phone?
    Use one of the emergency scratch codes you saved during the initial setup. It’s crucial to store these in a secure place.
  • Can 2FA be bypassed?
    While 2FA significantly increases security, no system is entirely foolproof. Always use strong, unique passwords and keep software up to date.
  • More resources?
    For more information, visit the OpenSSH official site ( or the Ubuntu Security documentation (


If you encounter issues, ensure system time synchronization, correct configuration file edits, and that the SSH service was restarted after changes.


Implementing Two-Factor Authentication on your Linux SSH server is a significant step towards securing your system against unauthorized access. By following this guide, you’ve added an essential layer of security that complements traditional password-based authentication.

Security is an ongoing process. Regularly review your security posture, update your systems, and stay informed on the latest security practices to protect your server effectively.