Enable 2FA for Ubuntu

Enable 2FA for Ubuntu


Note: Do not logout from system before testing completed

  • Installing the Google Authenticator PAM module
sudo apt install libpam-google-authenticator
  • Configuring SSH

Add the following line at end of /etc/pam.d/sshd file

auth required pam_google_authenticator.so
  • Enable Challenge Response Authentication

Modify /etc/ssh/sshd_config

ChallengeResponseAuthentication yes
  • Disable password authentication

Modify /etc/ssh/sshd_config

PasswordAuthentication no
  • Restart the sshd daemon
sudo systemctl restart sshd.service

Configuring authentication for user

In a terminal, run following command:


Anwser using recommended configuration:

Make tokens “time-base””: yes
Update the .google_authenticator file: yes
Disallow multiple uses: yes
Increase the original generation time limit: no
Enable rate-limiting: yes

Use Authy scan QR code and save it.


  • Disable user authorized_keys using root account
cd ~user
mv .ssh/authorized_keys .ssh/authorized_
  • Connect as the user using SSH

Note: Use Authy generate Verification code.

ssh host.example.com
Verification code: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)
  • Enable authorized_keys
mv .ssh/authorized_ .ssh/authorized_keys
  • Exit
  • Connect as the user again using SSH
$ ssh host.example.com
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)
  • Test sudo
$ sudo -i
[sudo] password for user:


  • Disable SSH PasswordAuthentication is not effected, password is still required.

  • Enable public key authentication using authorized_keys will disable 2FA key, this is good for service account

  • Do not configure sudo, /etc/pam.d/sudo is not modified, especially when using it for none password execution, such as running in services.

  • Console access will not using 2FA, because this confiugration is for SSH.


Configure SSH to use two-factor authentication
How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04
Note: This was not successful, the document is wrong at following point. I think the second publickey should not be there

AuthenticationMethods publickey,password publickey,keyboard-interactive

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

The reCAPTCHA verification period has expired. Please reload the page.