Tutoriel Linux configurer le MFA avec SSH

how to activate the MFA?

I. Presentation

In this tutorial, we will learn how to configure multi-factor authentication (MFA) on the SSH access of a Linux server in order to strengthen authentication: in addition to the username and password, a one-time verification will need to be entered to authenticate to the server.

MFA is compatible with authentication by identifiers (user / password), but also with authentication by keys.

On the Linux server, we will have to install and configure Google PAM Authenticatorcorresponding to the package “libpam-google-authenticator” (project page). On the side of your smartphone, you can use the code generation application of your choice: FreeOTP, Microsoft Authenticator, Google Authenticator, etc… There is a choice!

This configuration applies to different distributions, including Debian, Ubuntu, Fedora, Rocky Linux, etc… For my part, I am using a Debian 11 machine for this demonstration.

II. Installation et configuration de Google PAM Authenticator

Connect to your Linux server, update the package cache and install the package mentioned in the introduction:

sudo apt-get update
sudo apt-get install libpam-google-authenticator

SSH MFA - Installation de libpam-google-authenticator

Once the installation is done, we can attack the configuration of the module. This will require using your smartphone with your OTP application. Run this command:


Answer “y” to the first question for a QR code to be generated. This code must be scanned with your OTP application, from your smartphone.

SSH MFA - QR Code de Google

Under the QR code, there is the question “Enter code from app“: enter the code displayed on your smartphone, and confirm, to check that it works correctly. Also write down the emergency codes in a safe place, in your favorite password manager, for example. These codes are for use only if you have any problem with the OTP app on your smartphone.

SSH MFA - Rescue Code

Then, you have to answer 4 questions to refine the configuration. For the configuration to be secure (protection against certain attacks), it is necessary to answer “y” therefore “yes” to all of these questions. For example, this will impose a limit for connection attempts: 3 attempts every 30 seconds.

SSH MFA - Configuration de Google PAM Authenticator

Google PAM setup is complete! Let’s move on.

III. Enable MFA on SSH connection

Now we need to configure the Linux authentication module and SSH to rely on Google PAM to enable MFA. Start by modifying this file:

sudo nano /etc/pam.d/sshd

Add this line at the end of the file and save:

auth required pam_google_authenticator.so

SSH MFA - Configuration de PAM

If you want to allow login without MFA, for example for a user for whom MFA is not configured, add this option:

auth required pam_google_authenticator.so nullok

Then, it is the SSH server itself that must be configured. Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Look for the option “ChallengeResponseAuthentication” is set there to “yes” instead of “no”.

ChallengeResponseAuthentication yes

Linux - Enable MFA in SSH

To use MFA with authentication by keys (the following is not useful for authentication by login and password)the configuration is a little different… Because, in addition to the option that we have just activated, we must add this option:

AuthenticationMethods publickey,keyboard-interactive

Of course, this is in addition to the lines to disable password authentication and to enable the public key-based method:

PubkeyAuthentication yes
PasswordAuthentication no

Close the file and restart the SSH service to apply the changes:

sudo systemctl restart sshd

It’s time to test!

IV. SSH : tester la connexion MFA

From a remote machine, initiate an SSH connection to your server where MFA is active, and log in with the user for whom we have just activated MFA. And then, surprise, a new step called “Verification code” is displayed! That’s when you have to open the code generator app on your smartphone to get a code and grab it.

Linux - Test SSH connection with MFA

Following this connection, in the log “/var/log/auth.log“, you will see a line like this:

sshd(pam_google_authenticator)[1192687]: Accepted google_authenticator for flo

In the event that an incorrect code is entered, there will also be an entry in the logs to notify this attempt. This event is interesting and may indicate a sign of compromise, as it indicates that someone knows the username and password, but they’re stuck on second factor authentication.

Now it’s up to you to configure your servers!


#activate #MFA

Leave a Comment

Your email address will not be published. Required fields are marked *