How to Configure Two-Factor Authentication with Ubuntu

Two-factor authentication (2FA) is an additional layer of security that you can use on your Ubuntu. It is an OTP base configured in the mobile device.

The google 2FA authentication is available on mobile phones. This app allows you to receive a code on mobile after entering your website.

Nowadays all MNC and Corporate company in must be required 2FA for security purposes. it provides an extra security layer.



  • The non-root user with sudo privileges
  • The public or private IP address of your server
  • A phone running Android or Apple iOs 

Step by Step Installation

First, update Ubuntu package repository information:

$ sudo apt-get update

Install the Google Authenticator PAM module

$ sudo apt-get install libpam-google-authenticator

Generate TOTP for a user

The Google PAM is installed in the system. we need to generate a TOTP. You should be all users that want to enable 2FA on their account.

Loggin with the user that you want to generate TOTP for, run the helper Google PAM application below

$ google-authenticator

Do you want authentication tokens to be time-based (y/n) Y

In the next step, you will show the QR code that you can scan with the Google Authenticator app. If you don’t want to scan the QR code, 
you can enter the secret key displayed here manually on the Google Authenticator app on your phone.

Scan the QR code on the mobile device. After the ubuntu machine Yes click on the all option.


Enable PAM On SSH

We will have two configured SSH to allow users to log in using 2FA.

Open the 

$ sudo nano /etc/pam.d/sshd 

Add the line ‘auth required pam_google_authenticator.so’ line at the bottom of the file.

auth required pam_google_authenticator.so


Also the ssh configuration file in add

$ sudo nano /etc/ssh/sshd_config

Add this line in the ssh conf file 

ChallengeResponseAuthentication yes


After restarting ssh services

$ sudo systemctl restart sshd.service


Post a Comment