OpenSSH Three factor Authentication using Google Authenticator and Public Key authentication

I use Google Authenticator on all of my
Google account because it’s a nice, efficient way to do multi-factor authentication for the
great price of free-ninety-nine. I wanted to use it on one of my servers, but I wanted to be extra
secure and use not only TOTP, but password based and RSA key authentication as well. All of the
documentation I could find on doing so with OpenSSH was only on doing Google Authenticator’s
TOTP and password based authentication. Thankfully, this is possible since OpenSSH 6.2
introduced the Authentication Methods argument. 
P { margin-bottom: 0.08in; }

Setting up Google Authenticator

P { margin-bottom: 0.08in; }For this I am going to be using Ubuntu
14.04 LTS, which makes setting up Google Authenticator really, really simple.

sudo apt-get install

P { margin-bottom: 0.08in; }Insanely difficult, I know. In this
case, this only installs the PAM library on the server.

After that, we will instruct PAM to
load the plugin by adding the following line to

P { margin-bottom: 0.08in; }

auth required

Finally, we need to tell OpenSSH to use
the challenge response authentication, as well as force using multiple factors of

In /etc/ssh/sshd_config, find the
ChallengeResponseAuthentication line to read as below:

ChallengeResponseAuthentication yes

P { margin-bottom: 0.08in; }We must also add the following lines:

UsePAM yes

P { margin-bottom: 0.08in; }This will tell OpenSSH to enable PAM
authentication, as well as requiring a private key from the person trying to authenticate to the

Now, su to the user, and run the
google-authenticator command to create a Google Authenticator secret for that user.
Note that you can use the same secret across multiple users if you’d like, but that kind of kills the

Now, restart the SSH service on the
server and test the login.

P { margin-bottom: 0.08in; }

sudo service ssh restart

A successful login should look like

 OpenSSH tutorial Three factor authentication


P { margin-bottom: 0.08in; }

Should an attacker somehow compromise
both your password and your Google Authenticator, they will still require your public
key, as shown below.


P { margin-bottom: 0.08in; }

So now, in order to authenticate to the
server via SSH, you will need your password, the password to the account, the private
key, and, if you’re feeling extra special, the passphrase to your private key. If you combine this
method of authentication with other ways of securing your SSH server, like port-knocking or
running fail2ban, you can certainly make SSH authentication much, much more secure than just
needing a password to the account.

Is this overkill? Probably. Is this
awesome? Certainly.

About the Author

P { margin-bottom: 0.08in; }

Jonathan is an IT Security Engineer at ReliaQuest in Tampa, Florida.


Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

The Complete OSINT Tutorial to Find Personal Information About Anyone

This article mainly focuses on how to discover a person's digital footprint and gather personal data by using open-source intelligence (OSINT). So, in its...

How to find the password of hacked email addresses using OSINT

Open-source intelligence or OSINT is a potent technique, and it can give a lot of valuable information, if implemented correctly with the right strategy...

How to Identify Company’s Hacked Email Addresses Using Maltego & HaveIbeenPawned

This article is part of the Maltego OSINT tutorial, where you will learn to identify the already hacked account, and it’s password using the...

5 Key Vulnerabilities in Global Payroll

The cyber threat against payroll is growing in sophistication and frequency, according to the latest FBI cybercrime report. Many of these attacks exploit fixable...