How To Secure SSH Using Two Factor Authentication on Ubuntu 16.04 LTS

Secure SSH Using Two Factor Authentication on Ubuntu 16.04 LTS

In this tutorial, we will show you how to secure SSH using two-factor authentication on Ubuntu 16.04 LTS. For those of you who didn’t know, Securing SSH with two-factor authentication using Google Authenticator Two-step verification (also known as Two-factor authentication, abbreviated to TFA) is a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network. This is a special case of multi-factor authentication that might involve only one of the three authentication factors (a knowledge factor, a possession factor, and an inheritance factor) for both steps.

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step secure SSH using two-factor authentication on a Ubuntu 16.04 (Xenial Xerus) server.


  • A server running one of the following operating systems: Ubuntu 16.04, and any other Debian-based distribution like Linux Mint.
  • It’s recommended that you use a fresh OS install to prevent any potential issues.
  • SSH access to the server (or just open Terminal if you’re on a desktop).
  • A non-root sudo user or access to the root user. We recommend acting as a non-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.

Secure SSH Using Two Factor Authentication on Ubuntu 16.04 LTS

Step 1. First, make sure that all your system packages are up-to-date by running the following apt-get commands in the terminal.

sudo apt-get update
sudo apt-get upgrade

Step 2. Installing Google Authenticator.

To install the package on Ubuntu, run the following command:

apt-get install libpam-google-authenticator

The next step is to get the verification code. It’s a very simple command to get the verification code and scratch codes by just answering simple questions of the server he will ask you. You can do that step by running the following command:


You will be prompted to answer a few questions; answer the first two questions with yes (y):

Do you want authentication tokens to be time-based (y/n) y

A big QR code will be generated in your terminal. You can scan the code with the authenticator application on your Android/iOS/Windows phone or tablet or enter the secret key generated on the screen.

Emergency scratch codes will also be generated. You can use these codes for authentication in case you lose your mobile device:

Your emergency scratch codes are:

Save the authentication settings for the root user by answering YES to the next question:

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Next, you can configure the authenticator to generate one-time passwords. For the last 30 seconds, all generated passwords can be used once. Answer y to create the file that stores these settings:

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

You can use the next setting if you have time syncing issues across your devices, so we will not use this option:

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

The next setting prevents brute-force attacks. You will only have three chances per 30 seconds to enter the correct password:

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Congratulations! You have finished generating your key and adding it to your client, but some additional configuration is needed before these settings will go into effect.

The next step is to configure the authentication settings in openSSH. To do so, open the “/etc/pam.d/sshd” file and add the following line to the end of the file:

### nano /etc/pam.d/sshd
auth required

Save the changes, open the “/etc/ssh/sshd_config” file and enable Challenge-Response Authentication:

### nano /etc/ssh/sshd_config
ChallengeResponseAuthentication yes

Finally, save the file and restart the SSH server for the changes to take effect:

systemctl restart ssh

Congratulations! You have successfully secured SSH. Thanks for using this tutorial for secure SSH using two-factor authentication on Ubuntu 16.04 LTS  (Xenial Xerus) system. For additional help or useful information, we recommend you to check the official SSH website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!




r00t is a seasoned Linux system administrator with a wealth of experience in the field. Known for his contributions to, r00t has authored numerous tutorials and guides, helping users navigate the complexities of Linux systems. His expertise spans across various Linux distributions, including Ubuntu, CentOS, and Debian. r00t's work is characterized by his ability to simplify complex concepts, making Linux more accessible to users of all skill levels. His dedication to the Linux community and his commitment to sharing knowledge makes him a respected figure in the field.
Back to top button