Kensuke Kousaka's Blog

Notes for Developing Software, Service.

Add Google Authenticator to SSH service

This article describes how to add Google Authenticator (one of two step authentication system) to SSH service.

First, run following command to introduce Google Authenticator PAM library.

# pacman -S libpam-google-authenticator

Next, edit /etc/pam.d/sshd to introduce Google Authenticator into sshd. Append following line above default configurations.

auth sufficient pam_google-authenticator.so

And also edit /etc/ssh/sshd_config to support Google Authenticator for sshd.

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

Create secret key into user home directory to use for Google Authenticator. Run following command to generate secret key.

$ google-authenticator

After answer some questions, you can show URL, secret key, emergency code. Show QR code when you open url from Web browser, read this QR code by two factor authentication app so that you can register that.

You should save Emergency Code to offline, safety place to login even if you lost way to access to two factor authentication app.

If you finished these settings, run following command to activate.

# systemctl reload sshd