Configuring SSH authentication with two factor authentication (2FA) using Google Authenticator for a Linux server. The goal is to enhance security by requiring a second factor for specific users while allowing standard password login for others. The configuration uses PAM (Pluggable Authentication Modules) to manage authentication and SSH server settings to enforce the required login methods.
Objective
Configure SSH to enable:
- Two-Factor Authentication (2FA) using Google Authenticator for a specific user.
- Normal password authentication for all other users.
- Ensure only keyboard-interactive + public key authentication is required for the 2FA user.
Prerequisites
- Linux server with SSH
Install Required Packages
1. Install libpam-google-authenticator package:
sudo apt install libpam-google-authenticator2. Configuring authentication
The user-specific Google Authenticator secret should be initialized (login as that user and run the command). This generates the QR code or secret key for authenticator app setup.
google-authenticator- It will ask you a series of questions, here is a recommended configuration:
- Make tokens “time-base””: yes
- Update the .google_authenticator file: yes
- Disallow multiple uses: yes
- Increase the original generation time limit: no
- Enable rate-limiting: yes.
2. PAM Configuration
Open PAM configuration file /etc/pam.d/sshd
vim /etc/pam.d/sshdPAM manages authentication policies through following entries. Add them:
# PAM configuration for the Secure Shell service
auth required pam_google_authenticator.so nullok
auth sufficient pam_permit.so
# Standard Un*x authentication.
@include common-authExplanation of each line
auth required pam_google_authenticator.so nullok – Mandatory if 2FA is desired. nullok makes it optional for users without a 2FA. Remove nullok to force 2FA for all users.
auth sufficient pam_permit.so – Optional. Usually used to allow other auth methods to pass if Google Authenticator is not set up.
@include common-auth – Required to allow fallback password authentication for other users. Necessary for normal password login for users not using 2FA. If you comment it out (#@include common-auth), then password authentication is skipped, so users who rely on passwords cannot log in.
3. SSH Daemon Configuration
Open SSH configuration file /etc/ssh/sshd_config
vim /etc/ssh/sshd_configThis configuration controls SSH authentication methods.
Match User specificuser
KbdInteractiveAuthentication yes
AuthenticationMethods publickey,keyboard-interactiveMatch User specificuser – Useful to enable 2FA for a specific user while others unaffected.
KbdInteractiveAuthentication – Required for PAM-based 2FA. Must be yes for 2FA.
AuthenticationMethods publickey,keyboard-interactive – Ensures 2FA is enforced only for this user. Other users will continue to use password authentication if allowed.
Restart SSH daemon after changes
sudo systemctl restart sshdTesting
Login as specificuser:
ssh specificuser@server_ip- Should prompt for 2FA code.
Login as other users:
ssh otheruser@server_ip- Should prompt only for password if configured.
4. Example Flow
User specificuser login:
- SSH client sends public key.
- Server validates public key.
- Server prompts for 2FA code (Google Authenticator).
- Access granted only after successful 2FA.
Other user login:
- SSH client prompts for password.
- Server validates password via common-auth.
- Access granted if password correct.
5. Conclusion
This setup enables flexible and secure SSH authentication by combining traditional password-based login with two factor authentication (2FA) using Google Authenticator. this approach provides a balanced security model that enforces strong authentication for sensitive accounts while preserving usability for regular users.
For expert assistance with SSH Two Factor Authentication (2FA) Setup Documentation, get in touch with our experienced support team. We help you securely configure SSH access, reduce unauthorized login risks, and maintain compliance across your infrastructure. With our reliable server management services, you can ensure your servers are properly secured, monitored, and optimized for performance. Contact us today to strengthen your server security with confidence and professional support.
