Setup MFA For SSH On Ubuntu

More often We login to remote servers using SSH key based authentication.But it’s always recommended to add a layer of security as we store important data in our systems.

There comes a layer called MFA / 2FA authentication.

What Is MFA

MFA (Multiple factor Authentication) is the process of confirming identity of a user by using at least two different ways of authentication.

The most commonly used 2FA is setting up a password based or SSH based access and OTP (one time password) with generated by mobile application.

In this article , I will walk you through the process of setting up multiple factor authentication for the servers and how to use google authenticator for secret codes.


  • A running Ubuntu server with sudo access.
  • An authentication application such as google authenticator or Authy installed in your mobile.

Installing Google PAM Module

In order to configure MFA , We need to install Google’s PAM module in the Linux system.

PAM – Pluggable authentication module , a shared library which is used to dynamically authenticate users to a applications or services in the Linux systems.

In other words , It’s a software that provides authentication verification using OTP.

Login to the servers as a sudo user and run the below command,

apt-get update
apt-get install libpam-google-authenticator

Once the package is installed , Lets configure 2FA for the user.

Configuring 2FA For User

Now we have the google authenticator module installed in our system.

We have to generate secret keys for the users using the PAM module which we have installed.

And We can either generate secret keys for each user or a common secret keys shared within the team for all the users in the Linux machine.

Run the below command from the user for whom you want to setup 2FA.


When you run this command ,It will asks you some questions while configuring MFA in the system.

It will ask whether you want authentication tokens based on time, Type Y and enter.

Do you want authentication tokens to be time-based (y/n) y

Now It provides you the QA code as well as Secret code.

You can add this in the Google Authenticator mobile app either by scanning the QA code or manually entering the Secret code.

And you will be provided with 5 emergency codes , If you lost your mobile , Using this code you can gain access to your system which can be used only once.

Press Y and Enter to update the google authenticator codes for the user and the codes will be saved in .google_authenticator file of that user.

Do you want me to update your "/root/.google_authenticator" file? (y/n) y

Next We have to force expire the code Once it is used, To avoid replay attacks If someone gets this code.

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

In the next step , answer no (n) in order to allow only 3 valid codes for the period of 1:30m window.

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) n

Next If you want to limit the users to 3 login attempts in the period of 30 sec. Type Y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

Now We have configured google pam for the user.

Configuring SSH To Accept MFA

We have google PAM Configured in our system, We have to configure SSH to support google PAM authentication.

Open the /etc/pam.d/sshd file and add the below configuration to the end of the file,

auth required

Now we have to configure SSH daemon to accept Google authenticator.

Open the /etc/ssh/sshd_config file and change the value of ChallengeResponseAuthentication from no to yes.

Save and close the File.

Restart the SSH daemon for the changes to take effect.

systemctl restart sshd

Configuring Authentication

For this We are going to install google authenticator mobile application for android from Google Play Store.

Once the application installed , Click the + icon in the bottom right.

It will ask you to scan the BAR CODE or manually input the secret code.

Once It is configured , You can see the 6 digit OTP generated for the secure login.

Now If you login to the server , You will be asked to enter the verification code , And you can get the code from the google authenticator mobile app which will change for every 30 sec.

Now you will be authenticated successfully.

We have successfully configured MFA / 2FA to secure access to the server by adding a layer of security by google pam module.

Hope you have liked it, Thanks for reading this article.

Please do check out my other publications.