How To Secure Your SSH Login with Google Authenticator

It’s a commonly known fact that hackers can steal your passwords. And if you own some sort of server that you often SSH into, that can be a problem. Fortunately, you can use something called 2 Factor Authentication to make sure that even if hackers get your password, they still can’t get into your server. One of the best 2 factor authentication services is Google Authenticator, a secure, open-source choice. Google provides the software to integrate Google Authenticator system with your SSH server. When you log into SSH on your server, you’ll have to enter a code from the Authenticator app on your phone when you connect.

Install Google Authenticator

To install Google Authenticator on our server, we’ll need something called the Google Authenticator PAM module. PAM actually stands for “pluggable authentication module”, meaning an application which ‘plugs’ a new form of authentication into your system.

The Google Authenticator PAM module can be installed from the official Ubuntu/CentOS repos. If your Linux distro doesn’t contain a package for the PAM module, you’ll have to download it from the Google Authenticator download page on Google Code and compile it yourself.

To install the package on Ubuntu, run the following command:

sudo apt-get install libpam-google-authenticator

(This will only install the PAM module on our system – we’ll have to activate it for SSH logins manually.)

Create an Authentication Key
Log in as the user you’ll be logging in with remotely and run the command google-authenticator to create a secret key for that user.

Firstly, allow the command to update your Google Authenticator file by typing y. You’ll then get several questions that will allow you to restrict uses of the same temporary security token, increase the time window that tokens can be used for, and limit the allowed access attempts. These choices can be answered with a simple y or n.

Google Authenticator will give you a secret key and several “emergency scratch codes.” Write down the emergency scratch codes somewhere safe – they can only be used one time each, and they’re intended for use if you lose your phone. Keep them safe.

Next, download Google Authenticator for your device from the App Store or Google Play. Enter the secret key in the Google Authenticator app on your phone. You can also use the scan barcode feature – at the top of the output of the google-authenticator command, there should be a QR code.

You’ll now have a constantly changing verification code on your phone.

If you want to log in remotely as multiple users, repeat the process for each user. Each user will have their own secret key and their own codes.


Activate Google Authenticator

Next you’ll have to make your system require Google Authenticator for SSH logins. To do so, open the /etc/pam.d/sshd file on your system and append the following line to the file:

auth required

Next, open the /etc/ssh/sshd_config file, find the ChallengeResponseAuthentication line, and change it to read as follows:

ChallengeResponseAuthentication yes

(If the ChallengeResponseAuthentication line doesn’t already exist, add it line to the file.)

Finally, you must restart the SSH server so your changes will take effect:

sudo service ssh restart


There you are! You have successfully installed Google Authenticator on your server! Now you can protect yourself further from hackers. Thank you for taking the time to read this article and be sure to check back for more posts!

Subscribe to our Newsletter
Hey. We'd love to keep you updated with exclusive resources, deals, and notifications when we post every week. Just enter your name and email and you're in!
We promise not to spam. You can unsubscribe easily at any time 🙂
Print Friendly