OpenSSH Three factor Authentication using Google Authenticator and Public Key authentication

I use Google Authenticator on all of my
Google account because it’s a nice, efficient way to do multi-factor authentication for the
great price of free-ninety-nine. I wanted to use it on one of my servers, but I wanted to be extra
secure and use not only TOTP, but password based and RSA key authentication as well. All of the
documentation I could find on doing so with OpenSSH was only on doing Google Authenticator’s
TOTP and password based authentication. Thankfully, this is possible since OpenSSH 6.2
introduced the Authentication Methods argument. 
P { margin-bottom: 0.08in; }

Setting up Google Authenticator

P { margin-bottom: 0.08in; }For this I am going to be using Ubuntu
14.04 LTS, which makes setting up Google Authenticator really, really simple.

sudo apt-get install

P { margin-bottom: 0.08in; }Insanely difficult, I know. In this
case, this only installs the PAM library on the server.

After that, we will instruct PAM to
load the plugin by adding the following line to

P { margin-bottom: 0.08in; }

auth required

Finally, we need to tell OpenSSH to use
the challenge response authentication, as well as force using multiple factors of

In /etc/ssh/sshd_config, find the
ChallengeResponseAuthentication line to read as below:

ChallengeResponseAuthentication yes

P { margin-bottom: 0.08in; }We must also add the following lines:

UsePAM yes

P { margin-bottom: 0.08in; }This will tell OpenSSH to enable PAM
authentication, as well as requiring a private key from the person trying to authenticate to the

Now, su to the user, and run the
google-authenticator command to create a Google Authenticator secret for that user.
Note that you can use the same secret across multiple users if you’d like, but that kind of kills the

Now, restart the SSH service on the
server and test the login.

P { margin-bottom: 0.08in; }

sudo service ssh restart

A successful login should look like

 OpenSSH tutorial Three factor authentication


P { margin-bottom: 0.08in; }

Should an attacker somehow compromise
both your password and your Google Authenticator, they will still require your public
key, as shown below.


P { margin-bottom: 0.08in; }

So now, in order to authenticate to the
server via SSH, you will need your password, the password to the account, the private
key, and, if you’re feeling extra special, the passphrase to your private key. If you combine this
method of authentication with other ways of securing your SSH server, like port-knocking or
running fail2ban, you can certainly make SSH authentication much, much more secure than just
needing a password to the account.

Is this overkill? Probably. Is this
awesome? Certainly.

About the Author

P { margin-bottom: 0.08in; }

Jonathan is an IT Security Engineer at ReliaQuest in Tampa, Florida.


Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

How to Install Kali Linux on VirtualBox [Windows Host] in 2020

Kali Linux is a Debian based Linux distribution, released on the 13th March 2013 as a complete rebuild of BackTrack Linux. It is one of...

Acunetix v13 Release Introduces Groundbreaking Innovations

The newest release of the Acunetix Web Vulnerability Scanner further improves performance and premieres best-of-breed technologies London, United Kingdom – February 5, 2019 – Acunetix,...

What is Ethical Hacking, how to be an Ethical Hacker

Hacking is the process of discovering vulnerabilities in a system and using these found vulnerabilities by gaining unauthorized access into the system to perform...

Basic steps to ensure security Online!

Security concerns are growing day by day due to the growing interconnectivity and technology. Drastic things can happen if you be a little careless...