How to Set Up Two-Factor Authentication (2FA) for SSH on Ubuntu 26.04

Two-factor authentication (2FA) for SSH adds an extra layer of security by requiring both your SSH key and a time-based one-time password (TOTP) from an authenticator app. This guide configures 2FA for SSH using Google Authenticator PAM on Ubuntu 26.04 LTS.

Tested and valid on:

• Ubuntu 26.04 LTS

Prerequisites

• Ubuntu 26.04 LTS
• SSH access with key-based authentication already set up
• A smartphone with Google Authenticator, Aegis, or a compatible TOTP app

Step 1 – Install Google Authenticator PAM

sudo apt update
sudo apt install libpam-google-authenticator -y

Step 2 – Configure Google Authenticator for Your User

google-authenticator

Answer the prompts: time-based tokens (y), update .google_authenticator (y), disallow multiple uses (y), 30-second window (n), rate-limit (y). Scan the QR code with your authenticator app.

Step 3 – Configure PAM for SSH

sudo nano /etc/pam.d/sshd

Add at the top:

auth required pam_google_authenticator.so nullok

Step 4 – Configure SSH Daemon

sudo nano /etc/ssh/sshd_config

Set:

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

Step 5 – Restart SSH

sudo systemctl restart ssh

Step 6 – Test 2FA Login

Open a new terminal and SSH into the server. After key authentication, you will be prompted for the verification code from your authenticator app.

Step 7 – Emergency Scratch Codes

During setup, Google Authenticator provided emergency scratch codes. Store these securely offline — they let you log in if you lose access to your authenticator app.

Conclusion

SSH 2FA is configured on Ubuntu 26.04 LTS. Each login now requires both the SSH private key and a TOTP code, providing defence-in-depth against stolen credentials.