How to Enable SSH 2FA on Linux - Evoxt
Login
Register
 We care about the Environment
EvoxtGuidesHow to Enable SSH 2FA on Linux

How to Enable SSH 2FA on Linux

Securing your Evoxt VPS is essential, and enabling Two-Factor Authentication (2FA) for SSH is one of the most effective ways to prevent unauthorized access. This guide explains how to enable SSH 2FA on Linux, covering major distributions like Ubuntu, Debian, and RHEL-based systems (including AlmaLinux, Rocky Linux, and CentOS).

Why Enable SSH 2FA on Linux?

Adding 2FA to SSH provides an extra layer of security for your VPS. It prevents brute-force attacks, works with TOTP apps like Google Authenticator or Authy, and is compatible with both password and key-based logins.

Step 1: Install Google Authenticator Module

First, install the required package: 
# Debian/Ubuntu
sudo apt update
sudo apt install libpam-google-authenticator -y

# RHEL
sudo dnf install epel-release -y
sudo dnf install google-authenticator -y

Step 2: Set Up 2FA for Your User

Run the setup tool and follow the prompts: 
google-authenticator
Scan the QR code using a TOTP app (Google Authenticator, Authy, etc.) and answer yes to all prompts. This generates a .google_authenticator file in your home directory.

QR code not showing? Install qrencode (sudo apt install libqrencode3 or sudo dnf install qrencode).

Step 3: Configure PAM for SSH

Edit the PAM configuration file and add the Google Authenticator line: 
sudo nano /etc/pam.d/sshd
Add this line at the top: 
auth required pam_google_authenticator.so
nano not found? Install it with sudo apt install nano or sudo yum install nano.

Step 4: Update SSH Configuration

Edit your SSH configuration file: 
#Ubuntu/Debian/RHEL
sudo nano /etc/ssh/sshd_config

#RHEL 9+ (AlmaLinux 9+, Rocky 9+)
sudo nano /etc/ssh/sshd_config.d/50-redhat.conf
Ensure the following lines are present: 
ChallengeResponseAuthentication yes
UsePAM yes
KbdInteractiveAuthentication yes

Step 5: Restart SSH Service

Restart the SSH service to apply changes: 
# Debian/Ubuntu
sudo systemctl restart ssh

# RHEL
sudo systemctl restart sshd

Step 6: Test SSH 2FA Login

Log out, then log back in to your server: 
ssh USERNAME@IP
After entering your password or SSH key, you'll be prompted to enter the 2FA verification code from your authenticator app. If successful, you’ll be logged in securely.

(Optional) Remove SSH 2FA on Linux

If you want to disable SSH Two-Factor Authentication (2FA) on your Linux VPS, follow these steps carefully. Keep a console or secondary SSH session open to avoid locking yourself out during the process.

Remove PAM Google Authenticator Line

Delete the line that enables Google Authenticator in the PAM SSH configuration file: 
sudo sed -i '/pam_google_authenticator.so/d' /etc/pam.d/sshd

Revert SSH Configuration

Reset SSH settings to disable 2FA prompts: 
#Ubuntu/Debian/RHEL
sudo sed -i 's/^#*ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/^#*KbdInteractiveAuthentication.*/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config

#RHEL 9+ (AlmaLinux 9+, Rocky 9+)
sudo sed -i 's/^#*ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config.d/50-redhat.conf
sudo sed -i 's/^#*KbdInteractiveAuthentication.*/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config.d/50-redhat.conf

Test SSH Configuration and Restart

Before applying the changes, validate the SSH configuration: 
sudo sshd -t
If no errors appear, restart SSH: 
sudo systemctl restart sshd
Important Notes
  • Keep UsePAM enabled unless you are sure it’s not needed by other services.
  • Always test logins in a separate SSH session before closing your active one.

Quick Commands

# Install required packages
# Ubuntu / Debian
sudo apt update
sudo apt install libpam-google-authenticator libqrencode3 -y

# RHEL-based (AlmaLinux, Rocky, CentOS)
sudo dnf install epel-release -y
sudo dnf install google-authenticator qrencode -y

# Run setup for your user (scan QR code)
google-authenticator

# Add PAM module
sudo sed -i '$a auth required pam_google_authenticator.so' /etc/pam.d/sshd

# Update SSH config (Ubuntu/Debian & CentOS 7)
sudo sed -i '/^#\?ChallengeResponseAuthentication.* /d' /etc/ssh/sshd_config
sudo sed -i '$a ChallengeResponseAuthentication yes' /etc/ssh/sshd_config
sudo sed -i 's/^#*UsePAM.*/UsePAM yes/' /etc/ssh/sshd_config
sudo sed -i 's/^#*KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/' /etc/ssh/sshd_config
# AlmaLinux / Rocky / RHEL 9+ SSH config
sudo sed -i 's/^#*ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config.d/50-redhat.conf
sudo sed -i 's/^#*UsePAM.*/UsePAM yes/' /etc/ssh/sshd_config.d/50-redhat.conf
sudo sed -i 's/^#*KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/' /etc/ssh/sshd_config.d/50-redhat.conf
sudo grep -q '^KbdInteractiveAuthentication' /etc/ssh/sshd_config.d/50-redhat.conf || sudo sed -i '$a KbdInteractiveAuthentication yes' /etc/ssh/sshd_config.d/50-redhat.conf

# Restart SSH
# Ubuntu / Debian
sudo systemctl restart ssh
# RHEL-based
sudo systemctl restart sshd

Conclusion

By enabling SSH 2FA on Linux, you add a powerful security layer to your Evoxt VPS. Whether you're managing websites, Nextcloud, or critical infrastructure, this step greatly reduces the risk of unauthorized access.

For added security, you can also set up SSH keys in conjunction with 2FA.

Need help? Open a support ticket and Evoxt's support team will assist you.

High CPU Frequency Virtual Machines

Available Globally

Starting at

$2.99

Deploy now