add 2FA to SSH on a Ubuntu 18.04

Accessing a linux PC via SSH is a very common practice, but I decided to spice things up by adding 2 Factor Authentication(2FA) to the login process.  By using Pluggable Authentication Module(PAM).  PAM is interesting in that it opens the possibility of getting creative to authenticate a user, but I had Time-based One-time Password(TOTP) in mind, which is something I started using for my Google account.

This was a pretty quick process, simply install the package;

$ sudo apt install libpam-google-authenticator

and then run the following command;

$ google-authenticator

This will fire off a tutorial, I just said yes to all the questions.  An interesting feature is that this command line process will render an ASCII QR code so you can use Google Authenticator to scan in!  Pretty cool!

On my system, in order to enable PAM for SSH, I had to make the following modifications;



uncomment/set the following lines;

ChallengeResponseAuthentication yes
UsePAM yes
X11Forwarding yes
PrintMotd yes

and also in


append the following line;

auth required

(I also had to ensure that @include common-auth was not commented!)


and then finally restart sshd with;

sudo systemctl restart sshd.service

And this was all that was needed to add 2FA to my login process;

$ ssh
Verfication code:

If anything is wrong, run


auth required debug

in the /etc/pam.d/sshd file and then run;

$ tail -F /var/log/auth.log

this will give you some precious output on login attempts.

Leave a Reply