Overview
Adding TOTP (Time-based One-Time Password) to SSH provides an extra layer of security. Even if an attacker obtains your password or SSH key, they cannot access the server without the 2FA code.
Installation
sudo apt update
sudo apt install -y libpam-google-authenticatorConfigure for Your User
# Run as the user you want to protect
google-authenticatorAnswer the prompts:
- Time-based tokens: Yes
- Update .google_authenticator file: Yes
- Disallow multiple uses: Yes
- Increase time window: No
- Rate limiting: Yes
Save the QR code and emergency backup codes securely.
Enable in PAM
Edit /etc/pam.d/sshd, add at the top:
auth required pam_google_authenticator.soConfigure SSH
Edit /etc/ssh/sshd_config:
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactivesudo systemctl restart sshdTesting
Open a new SSH session (keep the current one open as backup). You should be prompted for your key/password and then a verification code.