Installing Google Authenticator

• apt update
• apt install libpam-google-authenticator

Enabling 2FA for SSH

• Edit /etc/pam.d/sshd
  • Add auth required pam_google_authenticator.so nullok after @include common-password
• Edit /etc/ssh/sshd_config
  • Edit ChallengeResponseAuthentication yes

Enabling 2FA for sudo operations

• Edit /etc/pam.d/sudo
  • Add auth sufficient pam_google_authenticator.so before @include common-auth

Adding a user to the sudo group

• usermod -aG sudo <username>

Aside: Creating a new user

• adduser <username>

New users can then run google-authenticator to create their 2FA files.

Alternatively, you can run the below pre-configured command

• google-authenticator -t -d -r 3 -R 30 -w 3 -s
  • -t - time based tokens
  • -d - do not allow passcode reuse
  • -r 3 - rate limit to 3 attempts
  • -R 30 - rate limit window set to 30s
  • -w 3 - window size of 3