Viewable by the world
- First generate a public key per these instructions.
- Install the Google Authenticator package and provision the user(s) with the token
- The configuration file will be slightly different for this setup
- Update PAM configuration: Edit the PAM configuration file for SSH /etc/pam.d/sshd
- Find the line that says @include common-account and comment it out by adding # to the beginning of that line
- and add the following (auth required pam_google_authenticator.so) to the file
#@include common-account auth required pam_google_authenticator.so
- Configure SSH: Edit the SSH configuration file /etc/ssh/sshd_config.
KbdInteractiveAuthentication yes PasswordAuthentication no AuthenticationMethods publickey,keyboard-interactive PubkeyAuthentication yes
With these steps, you should have Google Authenticator set up for SSH such that the server will first check for a valid Public Key and when successful will prompt for the 2FA token on login.
