SSH with Public Key and 2FA authentication

First generate a public key per the instructions above.
Install the Google Authenticator package and provision the user(s) with the token
The configuration file will be slightly different for this setup

Update PAM configuration: Edit the PAM configuration file for SSH /etc/pam.d/sshd
- Find the line that says @include common-account and comment it out by adding # to the beginning of that line
- and add the following (auth required pam_google_authenticator.so) to the file

#@include common-account
auth   required   pam_google_authenticator.so

Configure SSH: Edit the SSH configuration file /etc/ssh/sshd_config.

KbdInteractiveAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
PubkeyAuthentication yes

With these steps, you should have Google Authenticator set up for SSH such that the server will first check for a valid Public Key and when successful will prompt for the 2FA token on login.

Space shortcuts

SSH with Public Key and 2FA authentication