Introduction

Connecting via SSH to a Raspberry Pi (or any Linux system) is very convenient, but also risky: if you expose it to the internet, anyone can try their luck with your password; and if you don’t, you’re still not safe from someone with local access or within your network. The solution is to add two-factor authentication (2FA): in addition to your password, you’ll need a code that changes every few seconds on your mobile device.

In this article we’ll see how to enable it with Google Authenticator, using a Raspberry Pi as a practical example (although the process works for any Linux distribution).

Requirements

• A device with a Linux OS (in my case Debian)
• Internet connection
• Access to the terminal of the device to protect

The process is replicable on other distributions, it’s a matter of having Google Authenticator available. I’ll do it on Debian specifically Raspberry Pi OS

Installation and Configuration

Let’s get to the point. We’ll begin with the software installation and configuration, as well as system integration to be able to integrate it with SSH login.

Software Installation

sudo apt update
sudo apt install libpam-google-authenticator

QR Code Generation for Google Authenticator

To launch the configuration of our access control, from a user with privileges, we run the program:

google-authenticator

After this command we’ll see a huge QR code in the terminal to scan with the application, but don’t worry if you can’t see the complete QR in your terminal - below it we’ll have a code that we can manually enter in the Google Authenticator application (or whichever one you use).

Once you scan it, it will ask you for the code that appears in the application to finish the synchronization.

The process will ask you questions about the behavior of your access code, whether it expires and things like that. Each option is well explained, so just by paying attention to what you answer you can customize those characteristics of your code according to your needs.

Integration with SSH Login

With the QR connected to our 2FA application, it’s time to integrate it with SSH login. Without this we would only have a code with no application in our access system.

Edit SSH Configuration

Add 2FA as User Validation

In the file /etc/pam.d/sshd we add the following line at the end to enable the Google code:

sudo nano /etc/pam.d/sshd

auth required pam_google_authenticator.so

With this we tell the system that in addition to asking for passwords, public keys and others, it should also ask for the TOTP code. This file is responsible for adding the “extra layer” of the token.

So to speak, it’s responsible for “enabling” TOTP in the system.

Add 2FA to SSH

In the file /etc/ssh/sshd_config we add the following lines, in this case, to force SSH connections to include TOTP:

sudo nano /etc/ssh/sshd_config

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,password publickey,keyboard-interactive

Restart the SSH Service

For the changes made previously to take effect, we must restart the ssh service:

sudo systemctl restart ssh