Two-Factor Authentication
Add an extra layer of security with TOTP-based 2FA.
Google Authenticator PAM
Installation
# Debian/Ubuntu
sudo apt install libpam-google-authenticator
# RHEL/CentOS
sudo dnf install google-authenticator
# Arch
sudo pacman -S libpam-google-authenticatorUser Setup
# Run as the user who needs 2FA
google-authenticator
# Answer the prompts:
# - Time-based tokens? y
# - Update ~/.google_authenticator? y
# - Disallow multiple uses? y
# - Increase time window? n
# - Enable rate-limiting? y
# Scan the QR code with your authenticator appPAM Configuration
# /etc/pam.d/sshd - Add near the top
auth required pam_google_authenticator.so nullok
# Options:
# nullok = Allow users without 2FA configured
# no_increment = Don't increment counter on fail
# echo=no = Don't echo verification codeSSH Configuration
# /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
UsePAM yes
# Restart SSH
sudo systemctl restart sshdKey + 2FA Authentication
# /etc/ssh/sshd_config
# Require both SSH key AND 2FA code
AuthenticationMethods publickey,keyboard-interactive:pam
# /etc/pam.d/sshd
# Comment out @include common-auth
# Add:
auth required pam_google_authenticator.soYubiKey / Hardware Tokens
PAM U2F Setup
# Install
sudo apt install libpam-u2f
# Register key (as user)
mkdir -p ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys
# Add to PAM
auth required pam_u2f.soBackup Codes
# During google-authenticator setup, save the emergency codes
# Store them securely offline!
# To regenerate:
google-authenticator --force
# Backup codes location
~/.google_authenticator2FA Methods Comparison
| Method | Security | Convenience | Offline |
|---|---|---|---|
| TOTP App | Good | High | Yes |
| Hardware Key | Excellent | Medium | Yes |
| SMS | Poor | High | No |
| Push Notification | Good | High | No |
Recommendation: TOTP app + SSH keys for servers.
- 2fa
- totp
- google authenticator
- mfa
- security