In today’s threat landscape, relying on just a username and password is no longer sufficient to secure your Linux server. Two-Factor Authentication (2FA) adds an essential second layer of security, typically using a time-based one-time password (TOTP) that changes every 30 seconds. Here, we’ll walk you through setting up 2FA on your Linux server using Google Authenticator or a compatible app.

Why Use 2FA on a Linux Server?

Despite their strong security, SSH keys are not infallible, particularly if your private key is compromised or improperly stored. 2FA mitigates this risk by requiring something you know (your password) and something you have (your phone).

Benefits of 2FA:

• Protects against brute-force attacks
• Adds an extra layer even if your password is leaked
• Easy to implement with minimal performance impact

Step 1 – Install Google Authenticator PAM Module

Update all the System Packages to make sure your Ubuntu server is up-to-date and install Google Authenticator

sudo apt update

sudo apt install libpam-google-authenticator

Step 2 – Configure Google Authenticator for Your User

Run the following command for each user you want to protect with 2FA:

google-authenticator

You will be prompted with several questions:

• Scan the QR code with your mobile authenticator app
• Save the emergency codes in a safe place
• Choose whether to update .google_authenticator file (say y)
• Choose y for time-based tokens
• Answer the remaining prompts as per your security needs (default y is fine)

Step 3 – Configure PAM to Use Google Authenticator

Open the PAM SSH configuration file:

sudo nano /etc/pam.d/sshd

Add the following line at the top:

auth required pam_google_authenticator.so

Save and exit.

Step 4 – Update SSH Configuration

Edit the SSH daemon config:

sudo nano /etc/ssh/sshd_config

Make sure the following settings are present:

ChallengeResponseAuthentication yes UsePAM yes

Optionally, for better security, disable password authentication and use only keys + 2FA:

PasswordAuthentication no

Save and exit.

Step 5 – Restart SSH

Apply the changes by restarting the SSH service:

sudo systemctl restart ssh

Step 6 – Test the Setup

Open a new terminal or session and try logging in:

ssh youruser@yourserver_ip

You should be prompted to enter:

1. Your SSH key passphrase or password (if enabled)
2. A verification code from your authenticator app

Note : Do not close your existing SSH session until you’ve confirmed that 2FA is working properly.

Note : Instead of modifying /etc/pam.d/sshd, you can configure PAM for specific users by checking group membership or modifying .ssh/authorized_keys with command-level restrictions. This approach is more advanced and often used in multi-user environments.

Additional Tips:

• Backup your .google_authenticator file and recovery codes
• Use fail2ban or similar tools to block repeated login attempts
• Combine with SSH key authentication for maximum security

Conclusion

To significantly increase the security of your Linux server, you can take the easy yet effective step of adding two-factor authentication. Whether you’re managing a personal VPS or enterprise infrastructure, enabling 2FA protects against unauthorized access even if your credentials are compromised.