Docs / Security / How to Set Up Two-Factor Authentication for SSH

How to Set Up Two-Factor Authentication for SSH

By Admin · Feb 25, 2026 · Updated Apr 23, 2026 · 199 views · 1 min read

Adding 2FA to SSH provides an extra layer of security beyond keys or passwords.

Install Google Authenticator

apt install libpam-google-authenticator -y

Configure for Your User

google-authenticator

Answer yes to time-based tokens, update the .google_authenticator file, disallow reuse, and allow time skew.

Configure PAM

Edit /etc/pam.d/sshd, add at the top:

auth required pam_google_authenticator.so

Configure SSH

Edit /etc/ssh/sshd_config:

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
systemctl restart sshd

Now SSH requires both your key and a TOTP code.

Was this article helpful?

Related Articles