1. This article applies to Debian based Linux and Ubuntu variants
  2. Does not work if the user’s home drive is encrypted

Getting started:

I will be demonstrating how to use the Google authenticator PAM module for 2 factor. Google uses a time-based OPT algorithm and it does not phone home to work. You will need an Android or iOS device with the Google Authenticator app installed.

Install the Google authentication module by opening terminal and typing in:

sudo apt-get install libpam-google-authenticator

Generate Authentication Key by running this command:


Follow the instructions to generate a key by pressing “y”. Copy the secret key, the verification code and the scratch codes and store it securely. Scan the bar code from the app on your phone to initialize the code. Please note at this point we have installed the module and generated a key only. We still have to enable the PAM for SSH login manually. The steps below updates the “pam.d” config file to allow “pam_google_authenticator.so” and “sshd_config” to set “ChallengeResponseAuthentication yes” and then restarts the SSH service.

Open pam.d/ssh with vi or nano:   

sudo nano /etc/pam.d/sshd and add the line
auth required pam_google_authenticator.so

Open sshd_config and locate ChallengeResponseAuthentication line, and edit it to say:

sudo nano /etc/ssh/sshd_config
“ChallengeResponseAuthentication yes”

Restart SSH service:

sudo service ssh restart

Next time you SSH in you will be prompted for your password and the OTP before you are authenticated.