SSH with 2 steps with Google Authenticator

By | December 2, 2013

Many security policies require you to change the port number of the SSH service to ensure greater security in a Linux system. Situation now obvious throughout the IT world and used mostly by users who have their own private server. Today I want to show you how to add another security policies without having to change the SSH port. It is to incorporate the famous Google Authenticator to ssh service, in such a way as to have a safe, two steps, namely, by entering his password from the application date plus the combination GA Let’s see how to do this…

The first step is to configure NTP on our Linux OS for a time aligned with the Google servers.

Then download the application on their mobile device Google Authenticator:

So get ready to install on our Linux system.

We install the dependencies to be able to operate the product correctly:

For Debian/Ubuntu

# apt-get install build-essential libpam0g-dev libpam0g make

For CentOS\RHEL (have enabled EPEL repo as described HERE)

# yum --enablerepo=epel install gcc gcc++ pam-devel subversion python-devel git

For ArchLinux (if necessary)

# pacman -Sy pam wget

Completed installation of dependencies proceed with the compilation of the required library. We unload the library with the command:

# wget -O googleauth.tar.bz2

extract the contents:

# tar -xf googleauth.tar.bz2

enter into directory:

# cd libpam-google-authenticator-1.0/

Edit the makefile with your favorite editor:

# nano Makefile

We add, immediately after the directive “VERSION := 1.0“, the row “LDFLAGS=”-lpam“”:

VERSION := 1.0

At this point, save the file and launch the build commands:

# make && make install

If the installation is successful term we remove the downloaded files with commands:

# cd ..
# rm -rf googleauth.tar.bz2 libpam-google-authenticator-1.0/

At this point we can run the command to the first configuration:

# google-authenticator

once launched we will be asked:

Do you want authentication tokens to be time-based (y/n)

reply “y” and press Enter.

At this point you will see a output like this:|0&cht=qr&chl=otpauth://totp/root@myserver%3Fsecret%3D3LXXXXXXXXXXXX
 Your new secret key is: 3LOXXXXXXXXXXXX
 Your verification code is 722511
 Your emergency scratch codes are:
Do you want me to update your "/root/.google_authenticator" file (y/n)

copy the link:×200&…. and incolliamolo in the address bar of our browser, making it appear the qrcode.


Open the application G.A. on our mobile, we go on “Menu” -> “Configure Account


Later on we TAB “Read barcode


We place the smartphone on the screen to read the bar code and generate access codes.

Appears immediately after the entry for your server (eg: root@hostname):


At this point, the application is ready, we go back on our Linux system and continue the configuration. We left the question:

Do you want me to update your "/root/.google_authenticator" file (y/n)

re-reply “y” to this and other questions.

At this point there is nothing left to do but to edit the pam configuration file with your favorite editor:

# nano /etc/pam.d/sshd

and add to the end of the file:

auth required

saved and changed the sshd_config configuration file with your favorite editor:

# nano /etc/ssh/sshd_config

modifying the item to be:

ChallengeResponseAuthentication no


ChallengeResponseAuthentication yes

save and restart the sshd service with the command:

For Debian/Ubuntu

# service ssh restart


# service sshd restart

For ArchLinux

# systemctl restart sshd

At this point, if all went well, we try by connecting to the server through ssh:


To enable the same code on other users of the system just copy the file /root/.google_authenticator in your user’s home. While if you want a token to user just relaunch the command google-authenticator with the desired user.

That’s all!!! See you soon!!! ;-)