How to setup 2FA on Linux / Ubunutu!

Hello, this is a small tutorial on how to setup 2FA on Linux / Ubuntu.


Step 1: Install Google Authenticator on your mobile

install the Google Authenticator on your phone. You can download it from the Google Play Store or the Apple App Store.

Step 2: Update your linux repositories. This can be done by running the following command:

sudo apt-get update

Once the repositories are updated, you can proceed to the next step.

Step 3: Install the Google Authenticator PAM module

Next, you need to install the Google Authenticator PAM module on your Linux system. You can do this by running the following command:

sudo apt-get install libpam-google-authenticator

Step 4: Configure Google Authenticator for your user

Once the module is installed, you need to configure it for your user. Run the following command:

google-authenticator
  1. Do you want authentication tokens to be time-based (y/n) on this question fill in y
    2FA photo1
  2. Scan the QR code that is displayed with your Authenticator app. IMPORTANT make sure the shell is big enough else the QR code will be malformed
  3. Fill in the code that is displayed in the authenticator app.
  4. After this answer the next questions with Yes for best practise.
    2FA photo3

Step 5: Update the PAM configuration

Finally, you need to update the PAM configuration to enable Google Authenticator for SSH logins. Edit the sudo nano /etc/pam.d/sshd file and add the following line at the end:

auth required pam_google_authenticator.so

You also need to modify the sudo nano /etc/ssh/sshd_config file.
Search for "challenge-response" there you will find something like the below screenshot change KbdInteractiveAuthentication (or sometimes named as ChallengeResponseAuthentication) to yes and uncomment the "PasswordAuthentication yes"
2FA photo4

Save the file and restart the SSH service to apply the changesImportant Do not close the current ssh session before testing!

sudo systemctl restart ssh or sudo systemctl sshd restart

Now open a new shell using putty for instance and test if it works, when you log in to your Linux system via SSH, you will be prompted to enter a verification code from the Google Authenticator app on your phone in addition to your password.

If this is succesfull you can close the other ssh session and you are done!