Secure Your Linux Server with Google Authenticator Two-Factor Authentication: A Complete Guide
This guide walks you through installing PAM modules, generating Google Authenticator codes, configuring SSH and sudo for two-factor authentication, setting up Fail2ban to block brute-force attempts, and recovering from lockouts, providing all commands and configuration steps for a hardened Linux server.
Two-factor authentication (2FA) is a widely used security measure that adds a one‑time verification code to the login process, effectively preventing account compromise even if passwords are leaked.
1 Install PAM module
# Sync time with NTP server
ntpdate pool.ntp.org
# Ubuntu
sudo apt install -y libpam-google-authenticator
# CentOS 7
yum install -y epel-release
yum install -y google-authenticator2 Generate 2FA code
# Generate the secret and QR code (run as the user that needs 2FA)
# -t: use TOTP
# -f: save config to ~/.google_authenticator
# -d: disallow reuse of previous tokens
# -w 3: allow clock skew of 3 seconds
# -e 10: generate 10 emergency backup codes
# -r 3 -R 30: rate limit – 3 attempts per 30 seconds
google-authenticator -t -f -d -w 3 -e 10 -r 3 -R 30
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/vagrant@vagrant?secret=KZ7QPA11115XTQJQGBFWAIUJBY&issuer=vagrant
Your new secret key is: KZ7xxx7EI5123xxx123
Your verification code is: 90xx71
Your emergency scratch codes are:
1571xx03
9968xx56
2319xx89
8321xx97
9730xx15
3424xx23
5667xx03
9408xx86
7502xx41
4677xx143 Configure SSH to enable 2FA
# Edit PAM configuration for SSH
sudo vim /etc/pam.d/sshd
# Add the following line (disable password auth)
auth required pam_google_authenticator.so
# Edit SSH daemon configuration
sudo vim /etc/ssh/sshd_config
Port 1090
ChallengeResponseAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
# Restart SSH service
sudo systemctl restart ssh.service4 Configure sudo to require 2FA
# Edit common authentication PAM file
sudo vim /etc/pam.d/common-auth
auth required pam_google_authenticator.so
# Restart SSH (to apply changes)
sudo systemctl restart ssh.service5 Install Google Authenticator on your phone
1. Scan the QR code generated in step 2 with the Google Authenticator app.
2. Use the app to obtain the dynamic verification code each time you log in to the server.6 Use Fail2ban to block repeated password attempts
# Install Fail2ban
sudo apt install -y fail2ban
# Create/modify jail.local
vim /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 86400
findtime = 600
maxretry = 5
banaction = firewallcmd-ipset
action = %(action_mwl)s
[sshd]
enabled = true
filter = sshd
port = 1090
action = %(action_mwl)s
logpath = /var/log/secure
# Restart Fail2ban service
systemctl restart fail2ban7 Recover from 2FA lockout
# Disable 2FA for a specific user (if the authenticator app is unavailable)
sudo vim /etc/ssh/sshd_config
# Change authentication methods back to publickey only
AuthenticationMethods publickey,keyboard-interactive
AuthenticationMethods publickey
# Restart SSH service
sudo systemctl restart ssh.serviceSigned-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Open Source Linux
Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.