Secure SSH with Google Authenticator: Step-by-Step Two-Factor Setup
This tutorial explains how to protect SSH logins by installing Google Authenticator, generating a secret key, configuring PAM and sshd, and using an Android device to provide time‑based one‑time passwords, complete with installation commands, troubleshooting tips, and verification steps.
Recent password leaks have increased demand for multi‑factor authentication. Two‑factor authentication combines something the user knows (username/password) with something the user has (a one‑time password generated by a device).
Google Authenticator is an open‑source, cross‑platform application that generates time‑based one‑time passwords (TOTP) and provides a PAM module so it can be used with services such as OpenSSH.
Installing Google Authenticator on Linux
Install the Google Authenticator package and its PAM module for your distribution.
sudo apt-get install libpam-google-authenticatorsudo yum install google-authenticatorOn CentOS you may need to enable the EPEL repository before installing.
Building from source (optional)
If pre‑built packages are unavailable, compile the software yourself.
sudo apt-get install wget make gcc libpam0g-devsudo yum install wget make gcc pam-develwget http://example.com/libpam-google-authenticator-1.0-source.tar.bz2
tar xvfj libpam-google-authenticator-1.0-source.tar.bz2
cd libpam-google-authenticator-1.0
makeAfter a successful build you will find pam_google_authenticator.so and the google-authenticator binary.
sudo make installTroubleshooting
If you encounter fatal error: security/pam_appl.h: No such file or directory, install the development headers:
sudo apt-get install libpam0g-devsudo yum install pam-develGenerating a secret key
Run the authenticator on the Linux host to create a QR code and emergency scratch codes.
google-authenticator
Answer “yes” to the prompts and store the emergency codes safely.
Setting up the Android device
Install the Google Authenticator app from Google Play, open it, and choose either “Scan a barcode” to scan the QR code or “Enter provided key” to type the secret manually.
After successful registration the app displays a one‑time password that refreshes every 30 seconds.
Integrating Google Authenticator with OpenSSH
Edit the PAM configuration for SSH:
sudo vi /etc/pam.d/sshdauth required pam_google_authenticator.soEnable ChallengeResponseAuthentication in sshd_config: sudo vi /etc/ssh/sshd_config Set the line: ChallengeResponseAuthentication yes Restart the SSH service:
# Ubuntu/Debian/Linux Mint
sudo service ssh restart
# Fedora or CentOS/RHEL 7
sudo systemctl restart sshd
# CentOS 6 / RHEL 6
sudo service sshd restartTesting the two‑factor login
On the Android device, open Google Authenticator to obtain the current code (valid for 30 seconds), then SSH to the server: ssh user@ssh_server When prompted, enter the one‑time code, then your SSH password.
Two‑factor authentication adds an extra protection layer before the password, helping secure not only SSH but also other services such as Google accounts, WordPress, Dropbox, Outlook, etc.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.