“How to configure two-factor authentication (2FA) using Google Authenticator on Ubuntu 16.04 LTS Server Edition”




In this tutorial, we will describe the necessary steps to configure two-factor authentication (2FA) using Google Authenticator (application on our Android mobile device.) on an Ubuntu 16.04 LTS Server Edition. This method adds another layer of protection to our server adding an extra step to the basic login procedure.


Login to our  server via SSH as user root

$: ssh user@IP_Address

Update its repository and install the new packages:

$: sudo apt-get update && apt-get upgrade

Install the Google Authenticator package.

$: sudo apt-get install libpam-google-authenticator


Once the package is installed, run the google-authenticator program to create a key for the user you will be logging with. The program can generate two types of authentication tokens – time-based and one-time tokens. Time-based passwords will change randomly at a certain amount of time, and one-time passwords are valid for a single authentication. In our case, we will use time-based passwords. Run the program to create the keys

$: google-authenticator

We will be asked if we want the authentication to be time-based.

Do you want authentication tokens to be time-based (y/n) y

Big QR code will be generated in our terminal. We can scan the code with the authenticator application on our Android/iOS/Windows phone or tablet or enter the secret key generated on the screen.

Screen Shot 2017-07-31 at 12.49.13.png

Emergency scratch codes will also be generated. We can use these codes for authentication in case We lose our mobile device.

Your emergency scratch codes are:

Save the authentication settings for the root user by answering YES to the next questions

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Now we have the Google Authenticator application configured and the next step is to configure the authentication settings in openSSH.

$: sudo nano /etc/pam.d/sshd

auth required pam_google_authenticator.so

Save the changes, and open the “/etc/ssh/sshd_config” file and enable Challenge Response Authentication.

$: sudo nano /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

Save the file, and restart the SSH server for the changes to take effect.

$: sudo systemctl restart ssh

Two-factor authentication is now enabled on our server and every time we try to login to our Ubuntu 16.04 LTS Server Edition via SSH we will have to enter our user’s password and the verification code generated by Google Authenticator.


“cya to the next 1…. Njoy !”
bye dakj

Disclaimer: All the tutorials included on this site are performed in a lab environment to simulate a real world production scenario. As everything is done to provide the most accurate steps to date, we take no responsibility if you implement any of these steps in a production environment.

“We learn from our mistakes”