2FA for SSH with Google Authenticator

2FA adds a second layer of security: even if someone gets your SSH password, they can't access without the OTP code.

Before applying this configuration, open a second separate SSH session so you can recover if there are errors. Don't close your current session until you've verified it works.

Run this command as the user you want to protect (e.g., root or your user):

google-authenticator

Answer the questions:

Save the emergency scratch codes in a safe place. They allow you to access if you lose your phone.

• Do you want authentication tokens to be time-based? → y
• Scan the QR code with Google Authenticator, Authy, or any TOTP app
• Do you want me to update your "~/.google_authenticator" file? → y
• Do you want to disallow multiple uses of the same token? → y
• By default, tokens are good for 30 seconds... → n (or y if you have synchronization issues)
• Do you want to enable rate-limiting? → y

sudo nano /etc/pam.d/sshd

Add this line at the top of the file:

sudo nano /etc/ssh/sshd_config

Modify or add these lines:

sudo systemctl restart ssh

Open a new SSH session (don't close the current one):

You should see:

To apply 2FA only to certain users (not all):

sudo nano /etc/ssh/sshd_config

The recommended flow is: SSH key + OTP code:

This makes unauthorized access practically impossible.

• User presents SSH key → authenticated
• User enters OTP code → authenticated

Each user must run google-authenticator with their own account:

# As regular user
su - regularuser
google-authenticator

In case of emergency (e.g., lost phone):

# Access via VNC Console (VirtFusion panel)
# Comment out the PAM line
sudo sed -i 's/^auth required pam_google_authenticator.so/#auth required pam_google_authenticator.so/' /etc/pam.d/sshd
sudo systemctl restart ssh

Then reconfigure when you regain access.

• Google Authenticator (Android/iOS)
• Authy (Android/iOS/Desktop: recommended for backup)
• Bitwarden Authenticator (open source)
• andOTP (Android, open source)