Sunday, July 15, 2012

SSH / Google 2-Step Authentication How-To : Enhance your SSH security with Google Two factor Authentication Service

*** Updated March 9, 2013  ***

Major changes:
03/09/2013 - Added missing pam settings upon user comment

The Goal:

Google provides for free a great service to enhance your Google account security called "Google 2-Step Authentication"  (also called two factor authentication) and offers a real strong authentication mechanism.

This service can also easily be used to enhance your SSH access security.
In a few words, you will be able to protect your SSH access with strong authentication using your smartphone as a software token.

Do not hesitate to read official Google page if you need more information:

You may also read my article about configuring it to protect your Google account access:

Other useful sources (thanks to various authors):

What you need:

  • A running Linux Box with SSH installed and accessible
  • A smartphone : Iphone, Android or RIM

Step 1: Install Google Authenticator

Tested under Ubuntu 12.04 TLS:
sudo apt-get install libpam-google-authenticator

Step 2: Configure SSH to use Google Authenticator

Edit "/etc/pam.d/sshd" with your favorite text editor and add:
auth required

Edit "/etc/ssh/sshd_config" and set:
ChallengeResponseAuthentication yes

Edit "/etc/pam.d/common-auth" and set:

auth required
auth [success=1 default=ignore] nullok_secure

As the user you want to connect with, configure your Google two factors authentication:

$ google-authenticator|0&cht=qr&chl=otpauth://totp/user@host%3Fsecret%3DZDTR6VU5FR5OIZ3G

Your new secret key is: ZDTR6VU5FR5OIZ3G
Your verification code is 843231
Your emergency scratch codes are:

Do you want me to update your "~/.google_authenticator" file (y/n)

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Emergency codes are provided in case of your phone would be unavailable, you should keep it somewhere 

Open your Google Authenticator application on your phone, click on "+" and "read bar code", get the bar code provided by the terminal, it will be added automatically in the application.

Restart ssh:
sudo service ssh restart

I recommend you to keep your opened terminal up in case you would be unable to connect 

Step 3: Check authentication

Try to connect to your host using Google code provided by your phone:

ssh user@host
Verification code: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-26-generic x86_64)

Last login: Sun Jul 15 11:28:17 2012 from XXX.XXX.X.XX


  1. Since installing this i am unable to access my server via ssh, i get a connection refused message each time, not even being prompted for any password. How would i fix this ?

  2. Hi, Access you system directly in console mode and revert to your original SSH configuration (the pam.d config file and SSH config file), restart SSH (or reboot) and you should be good ^^

  3. On Ubuntu 12.04 I also needed to edit /etc/pam.d/common-auth with the following line to make this work:

    # here are the per-package modules (the "Primary" block)
    auth required
    auth [success=1 default=ignore] nullok_secure

    Hope this helps someone. Cheers!

    1. Hi,

      I have added your correction, many thanks for reporting it!



Please feel free to comment ^^