If you’re looking to add an extra layer of iron clad security to your Linux server, there are few better options than two-factor authentication. In this guide, we’ll show you how to install Google PAM for SSH authentication.

First, lets update Ubuntu’s aptitude cache:

sudo apt-get update

Next we’ll get and install Google LibPAM:

sudo apt-get install libpam-google-authenticator -y

Well that was easy, wasn’t it?

Initial Configuration for Google PAM

Now that we’ve got PAM installed, let’s start the application:


At this point, you’ll be presented with a number of initial configuration options. Let’s walk through these. First you’ll be asked if you want to use the time-based option for authentication tokens. Selecting no here would configure the module to use sequential tokens, which isn’t terribly compatible and might equate to a less than ideal first experience, so let’s choose Y here to avoid that:

Do you want authentication tokens to be time-based (y/n) y

In order to install Google PAM, you’ll need to answer yes on this one so that the authentication token is written and the program won’t terminate, so answer Y:

Do you want me to update your "~/.google_authenticator" file (y/n) y

Unless you’re a fan of replay attacks, you’ll probably want to disable multiple uses of the same auth token in this next step, so select Y here:

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

On this one you won’t want to answer yes unless you’d like to give hackers a broader window for gaining access. So you’ll probably want to answer no, which configures the application to allow only 3 login attempts ever 30 seconds. Answer N:

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

By confirming rate-limiting, you’ll limit attackers to a certain number of attempts before they’re blocked, which is a good thing and (assuming you haven’t previously setup a rate-limiting policy for SSH) this will definitely bolster your security level. Answer Y:

Great! Now you’ve got Google PAM installed so it’s on to the configuration!

Configuring PAM with SSH

Let’s crack open the PAM configuration file using Nano:

sudo nano /etc/pam.d/sshd

Right below the line @include common-password, add the following to require PAM and allow null:

auth required pam_google_authenticator.so nullok

Close out the file and save it.

Now let’s make an edit to the SSHD configuration:

sudo nano /etc/ssh/sshd_config

Locate the line that reads ChallengeResponseAuthentication and ensure it’s set to yes:

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

Close and save your edit and restart the SSHD service:

service sshd restart

Now we’ll re-edit the SSHD configuration:

sudo nano /etc/ssh/sshd_config

Look for he line that reads UsePAM yes and add he following line below it to set the authentication mehod to SSH key, then either a password or verification code:

UsePAM yes
AuthenticationMethods publickey,password publickey,keyboard-interactive

Now we’ll re-edit the PAM configuration file as well:

sudo nano /etc/pam.d/sshd

Locate the line # Standard Un*x authentication. and right below it, uncomment the line #@include common-auth by removing the # so that it looks like this:

# Standard Un*x authentication.
@include common-auth

Close out of the file and save it and restart SSH again:

Now for he fun part! Open a new SSH session. If all went well, you should now be prompted for a verification code after you SSH key is accepted.

Assuming all went well with your test – that’s it, you’re done!

Share this post