- Debian-based system
- Two conneced SSH sessions at the same machine to prevent from failure
** This machine should have a configured publickey auth method. **
- A Phone with 2FA app installed (recommend Authy)
- A safe place to save recovery code
sudo apt-get update -y sudo apt-get install libpam-google-authenticator -y google-authenticator
Configuration of Authenticator
Follow the screen notification to input and save your recovery key.
Normally it should be: “Y” -> Save your Recovery key -> “Y” -> “N” -> “Y”
This config is highly-recommended.
Configuration of PAM and SSH
/etc/pam.d/sshd to enable the Google 2FA in PAM.
(At the top of the file) # Standard Un*x authentication. #@include common-auth // Comment this line ...... (At the bottom of the file) # Standard Un*x password updating. @include common-password auth required pam_google_authenticator.so nullok //Add this Line here
Then edit the
/etc/ssh/sshd_config to enable the force 2FA.
...... # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes // Change from no to yes ...... UsePAM yes // Ensure Here is "yes" AuthenticationMethods publickey,keyboard-interactive // Add this line here ......
Congratulaions! You’ve already configured it!
Try reconnect using another session!
If there’s anything wrong, Search Google or leave a message here. Then use the connected session to change the config back.