Today we’ll take a look on how to setup SSH to take advantage of the one-time passcode support provided by Google Authenticator package.

Following this steps you can make SSH to ask for Google verification code prior to ask for proper user login password, adding in such a way two-factor authentication to your linux box. Note that you have to install Google Authenticator app on your mobile phone for getting the verification code you have to insert when prompted.

The following steps have proven to work on Fedora 16 x86_64 but should work on (almost) every linux flavour out there.

First of all, we download the Google Authenticator App suitable for our smartphone, then get the authenticator package for our linux box via yum:

sudo yum install google-authenticator

Then, we edit a couple of config files in order to use the pluggable authentication module (PAM) which requires one-time passcodes to allow login:

sudo vim /etc/pam.d/sshd
auth required pam_google_authenticator.so
sudo vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes

Then, restart the SSH daemon (new style):

sudo systemctl restart sshd.service

that is the same as the good old:

sudo service sshd restart

Then launch the Google Authenticator program from shell to generate an url linking to the authentication QR code for your user@host: [you may safely answer yes to all questions]

$ google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/... ... ...
Your new secret key is: ... ...
Your verification code is ... ...
Your emergency scratch codes are:
  ... ... ...
  ... ... ...
  ... ... ...

Browse to the url generated above and fire up Google Authenticator app on your smartphone to scan the QR code. Done!