OpenSSH Three factor Authentication using Google Authenticator and Public Key authentication

I use Google Authenticator on all of my
Google account because it’s a nice, efficient way to do multi-factor authentication for the
great price of free-ninety-nine. I wanted to use it on one of my servers, but I wanted to be extra
secure and use not only TOTP, but password based and RSA key authentication as well. All of the
documentation I could find on doing so with OpenSSH was only on doing Google Authenticator’s
TOTP and password based authentication. Thankfully, this is possible since OpenSSH 6.2
introduced the Authentication Methods argument. 
P { margin-bottom: 0.08in; }

Setting up Google Authenticator

P { margin-bottom: 0.08in; }For this I am going to be using Ubuntu
14.04 LTS, which makes setting up Google Authenticator really, really simple.

sudo apt-get install

P { margin-bottom: 0.08in; }Insanely difficult, I know. In this
case, this only installs the PAM library on the server.

After that, we will instruct PAM to
load the plugin by adding the following line to

P { margin-bottom: 0.08in; }

auth required

Finally, we need to tell OpenSSH to use
the challenge response authentication, as well as force using multiple factors of

In /etc/ssh/sshd_config, find the
ChallengeResponseAuthentication line to read as below:

ChallengeResponseAuthentication yes

P { margin-bottom: 0.08in; }We must also add the following lines:

UsePAM yes

P { margin-bottom: 0.08in; }This will tell OpenSSH to enable PAM
authentication, as well as requiring a private key from the person trying to authenticate to the

Now, su to the user, and run the
google-authenticator command to create a Google Authenticator secret for that user.
Note that you can use the same secret across multiple users if you’d like, but that kind of kills the

Now, restart the SSH service on the
server and test the login.

P { margin-bottom: 0.08in; }

sudo service ssh restart

A successful login should look like

 OpenSSH tutorial Three factor authentication


P { margin-bottom: 0.08in; }

Should an attacker somehow compromise
both your password and your Google Authenticator, they will still require your public
key, as shown below.


P { margin-bottom: 0.08in; }

So now, in order to authenticate to the
server via SSH, you will need your password, the password to the account, the private
key, and, if you’re feeling extra special, the passphrase to your private key. If you combine this
method of authentication with other ways of securing your SSH server, like port-knocking or
running fail2ban, you can certainly make SSH authentication much, much more secure than just
needing a password to the account.

Is this overkill? Probably. Is this
awesome? Certainly.

About the Author

P { margin-bottom: 0.08in; }

Jonathan is an IT Security Engineer at ReliaQuest in Tampa, Florida.


Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

OSINT WIFI Tutorial: Track People using WiFi via Wigle

Due to the drastic growth of internet access, Wi-fi networks have become progressively popular. Wi-fi technologies link to the network topologies allows users to...

Why Attack Surface Analysis is a Core of Cybersecurity?

The pandemic of COVID-19 has changed the world dramatically. Almost all everyday actions have gone online: people work from home, students attend lectures through...

The Attack Surface Mapping guide for Ethical Hackers

This article explains how to map the attack surface in a precise and realistic way. An attack surface aims to figure out which areas...

Addressing Myths About Online Casinos & Security

Many people carry a perception that online casinos inherently involve a security risk. The sense is that these sites can be somehow “sketchy” or...