Enabling Google Authenticator MFA on Ubuntu 16.04

A quick guide on enabling the Google Authenticator App for SSH connections to Ubuntu 16.04 Servers.

Note: Before proceeding, ensure you have the Google Authenticator app installed on your phone:

Appstore (iPhone): https://apps.apple.com/gb/app/google-authenticator/id388497605
Play Store (Android): https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_GB

Installing and Configuring in Ubuntu 16.04:

Firstly, install the package to your server:

sudo apt install -y libpam-google-authenticator

Now run the package to configure the MFA (Note: This should be run as the user on which you would like the MFA applied to). There will be a QR code displaying in the Terminal after running – Open up your Google Authenticator app and click “Add” to scan this barcode.


Proceed through the settings, answering as appropriate.

Note: You should backup the ~/.google_authenticator file in your user directory as this contains the recovery keys. It is also a good idea to ensure you have console access to your server (Or a way of restoring to a previous state) in the event of any of the below going wrong!

Now run the below comamnds to update the SSH service to force MFA on login (Note: Should be run as root – sudo su included below):

sudo su
echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config
echo "UsePAM yes" >> /etc/ssh/sshd_config
echo "AuthenticationMethods publickey,password publickey,keyboard-interactive" >> /etc/ssh/sshd_config
sed -i 's/@include common-auth/#@include common-auth/g' /etc/pam.d/sshd

Restart the SSH service to apply:

service ssh restart

If you logout

Any comments or questions? Get in touch here or Email me at [email protected]