Table of Contents


Google-authenticator(GA) provides a two-step authentication procedure using one-time passcodes. Its a PAM module which is pretty easy to setup and enhances your protection. For highest security, make sure that both password and OTP are being requested even if password and/or OTP are incorrect. This document will describe the procedure I used to setup GA on an Ubuntu machine. I also used it on arch Linux this link provides great documentation on how to do it.

Setting up Google-authenticator

To setup google-authenticator it is necessary to see that the time is setup right, I had some initial problems with my ntp. But after figuring out the right way it worked like a charm. This is what i did to get it to work ( see Usethis link to get another view).

Download libpam-google-authenticator

$ sudo apt-get install libpam-google-authenticator

Run the actual program as the user you want to use authenticator for.

$ google-authenticator

Answere the question as they come along… Make sure you are using time-based authentication.

Scan the QR-code in the authenticator app on your mobile, this should create an entry in your authenticator.

When all done you should have a file in the home directory .google_authenticator

Configuring PAM

Time to configure ssh deamon to use the authenticator. in /etc/pam/sshd add the following line at the bottom of the file:

auth required pam_google_authenticator.so nullok

The nullok tells the PAM that this authentication method is optional, as soon as every user has authenticator then remove it.

Configure sshd

Now its time to configure sshd. open the ssh configuration file /etc/ssh/sshd_config

Search for ChallengeResponseAuthentication

ChallengeResponseAuthentication no

change it to yes.

And restart the ssh daemon

systemctl restart sshd

Make sure you test it before you logout!

Date: 2019-11-03 Sun 00:00

Author: Calle Olsen

Created: 2022-06-11 Sat 19:33