Linux Hack of the Week #9: Using Google Authenticator for 2FA

The implementation of two-factor authentication (2FA) is one of the simplest ways to make a huge improvement in the security of your systems. There are a number of ways to implement it such as email, text messages, and applications. Google has done a great job of creating a two-factor authentication app that can be integrated into a number of different applications.

In this week’s hack, I’ll lay out the steps needed to configure 2FA for use with SSH on Linux servers. Google provides a module to use with the Linux Pluggable Authentication Module (PAM) framework.


First, you will want to install the Google Authenticator app on your mobile device. This can be found in the app store on your device:

For this demo, I am using Fedora 28. With any luck, all of these steps should work on Red Hat, CentOS, and Fedora. To install the module run:

[joe@fedora28 ~]$ sudo dnf install google-authenticator

Next, configure the application by running google-authenticator:

It will print a QR code out on the console to scan with the mobile application. You can also manually enter the codes printed out, but I find scanning always works.


Now, you will need to update PAM to require 2FA for ssh connections. Edit the file /etc/pam/sshd:

[joe@fedora28 ~]$ vi /etc/pam.d/sshd

Add the option:

auth       required nullok

What the option nullok does is allow users without 2FA to login and create their QR code and initialize the Google Authenticator app. Once all users have configured the app, remove nullok:

Next, edit /etc/ssh/sshd_config and change the option ChallengeResponseAuthentication from no to yes:

Now, restart sshd and try to connect, it will prompt you for a verification code. This is a six digit code found in the Google Authenticator app:

[joe@fedora28 ~]$ sudo service sshd restart
[joe@fedora28 ~]$ ssh you@localhost


With that simple configuration change, you have now added significant improvements in security to your Linux hosts. Did you know that the Automox console supports 2FA? It is as simple as turning on the option in the UI. Check out this blog post for a quick walkthrough of the two different types of 2FA Automox supports. As always, if you have any questions feel free to reach out:

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

Dive deeper into this topic