Secure SSH Access on Ubuntu with Google Authenticator
You secure SSH access on Ubuntu with Google Authenticator by implementing two-factor authentication (2FA).
Two-factor authentication adds an extra layer of security beyond just your username and password, requiring a time-sensitive code generated by an authenticator app.
This method is crucial for protecting your Ubuntu servers, especially when accessed remotely. For example, you can set this up on Ubuntu 20.04 or 18.04.
Google Authenticator provides these one-time passwords (OTPs) directly from your smartphone.
Secure SSH on Ubuntu by enabling two-factor authentication with Google Authenticator. After installing the app, edit /etc/ssh/sshd_config to enable ChallengeResponseAuthentication and UsePAM. Then, edit /etc/pam.d/sshd to add auth required pam_google_authenticator.so, and restart the SSH service.
Install Google Authenticator
To add an extra layer of security to your SSH logins on Ubuntu, you’ll first need to install the Google Authenticator app on your system and set it up with your phone.
Since we’ve already shown you how to install Google Authenticator Ubuntu and set it up on your mobile device, please reference the post below so we don’t write it again.
How to install Google Authenticator on Ubuntu Linux
Configure Two-factor SSH
With Google Authenticator set up on your phone and Ubuntu, the next step is to change your SSH server’s settings to require this second security code for logins.
To set up SSH, run the commands below to open its default configuration file on Ubuntu.
sudo nano /etc/ssh/sshd_config
Next, make the highlighted changes in the file to make this work.
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
MaxAuthTries 3
#MaxSessions 10
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
Save and exit.
Next, run the commands below to open Ubuntu’s PAM SSH configuration file.
sudo nano /etc/pam.d/sshd
Then append the highlighted changes below and save.
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
auth required pam_google_authenticator.soSave the file and exit.
After making the changes above, restart the SSH service.
sudo systemctl restart sshd
Now, go and test it out. You should be prompted for a one-time code every time you attempt to sign in.

If you set up SSH public key authentication, you’ll want to add this line to the main SSH configuration file at the/etc/ssh/sshd_config file.
AuthenticationMethods publickey,keyboard-interactive
auth required pam_google_authenticator.so
Exit both files and save your changes, then restart SSH.
sudo systemctl restart sshd
That should do it!
Conclusion:
This post showed you how to configure SSH to accept two-factor authentication using Google Authenticator.
If you find any error above, please use the form below to report.
You may also like the post below:
Was this guide helpful?
About the Author
Richard
Tech Writer, IT Professional
Richard, a writer for Geek Rewind, is a tech enthusiast who loves breaking down complex IT topics into simple, easy-to-understand ideas. With years of hands-on experience in system administration and enterprise IT operations, he’s developed a knack for offering practical tips and solutions. Richard aims to make technology more accessible and actionable. He's deeply committed to the Geek Rewind community, always ready to answer questions and engage in discussions.
No comments yet — be the first to share your thoughts!