User Tools

Site Tools


Two Factor Autentication with Linux (2FA)

The Google 2 Factor Authentication makes it possible to protect your headless servers under Linux.

To install two factor authentication (2FA) from google on Linux, follow these steps on a command line Debian or Ubuntu machine:

Login with your account and do the installation of the authenticator with

sudo apt install libpam-google-authenticator

Configure pam with sudo nano /etc/pam.d/common-auth and add the following line at the end of the file:

auth required nullok

The NULLOK option gives the option to login without a 2FA code as long a user has not setup 2FA. For the sake of security try not to use this option.

The next step is to configure SSH to be able to login remotely. If you don’t configure this you won’t be able to ssh to your server anymore.

Enable the PAM module by editing nano /etc/pam.d/sshd and make sure that @include common-auth is at the end of the file. The comment usually will be at the top of the file. If you have to login twice you have the argument two times!

Set the follwoing lines ChallengeResponseAuthentication yes and UsePAM yes in /etc/ssh/sshd_config.

Do a systemctl restart sshd or service sshd restart

You now have 2 Factor Authentication enabled.

NOTE: By putting the PAM module at the end of the file you will have the challenge after you have entered the password. If you like to first have the challenge, put the 2fa PAM module before the password.

You now have to configure 2FA for every user who needs access to the system. Start configuring your own user and then all other users by doing the following:

Type in the command google-authenticator Type Y for the fist question

Write down the settings which will be presented (make sure you store them in a save place). These are the rescue settings if you don't get in anymore. Parallel to that open the Google Authenticator on you phone and enter the new settings directly into your Authenticator Settings on your phone. Give it a name (it doesn't have to be an e-mail address) and enter the code you have written down.

Answer the rest of the questions with Y unless you like to deviate. Repeat this for every user and don’t forget your root user!

Do not logoff before you have tested this configuration! Open a new window and try your new settings.

If everything is working correctly you now have a new level of security.

NOTE: It is possible to have multiple servers using the same code generated by your phone without adding multiple accounts. Simply replace the content of the file /root/.google_authenticator or /home/your_user/.google_authenticator after you have installed and configured the authenticator of the new server.

To use the Google 2 Factor Authenticator also in your Webmin do the following:

nano /etc/webmin/miniserv.conf and add the line at the end of the file pam_conv=1

Then do:

 nano /etc/pam.d/webmin
 auth required

Restart the Webmin Service with:

 service webmin restart or systemctl restart webmin

Shoud you have any login problems in Webmin, reset your password with:

 cd /usr/share/webmin
 ./ /etc/webmin/ username password
 systemctl restart webmin

If you like to disable 2FA, just comment out auth required nullok in /etc/pam.d/common-auth.


*If you just want to enable 2FA for ssh not interfering with other applications do the following:*

 apt install libpam-google-authenticator -y
 answer with Yes - Yes - Yes - No - Yes

If you want to use a common code for all your machines alter it:

 nano /root/.google_authenticator

and replace the code according to your other servers at the top of the file

 nano /etc/pam.d/sshd
 @include common-auth
 auth required no_warn try_first_pass
 auth required
 nano /etc/ssh/sshd_config
 ChallengeResponseAuthentication yes
 PasswordAuthentication yes
 AuthenticationMethods keyboard-interactive
 UsePAM yes
 service ssh restart

Thas all.


Your ArtIT Team


2fa_linux.txt · Last modified: 2023/08/03 11:45 by admin