Viewable by the world


  • Update PAM configuration: Edit the PAM configuration file for SSH /etc/pam.d/sshd
    • Find the line that says @include common-account and comment it out by adding # to the beginning of that line
    • and add the following (auth   required   pam_google_authenticator.so) to the file


#@include common-account
auth   required   pam_google_authenticator.so


  • Configure SSH: Edit the SSH configuration file /etc/ssh/sshd_config.


KbdInteractiveAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
PubkeyAuthentication yes


With these steps, you should have Google Authenticator set up for SSH such that the server will first check for a valid Public Key and when successful will prompt for the 2FA token on login.

  • No labels