Enabling MFA on Ubuntu and Amazon Linux

Pre-requisite: Google Authenticator Application should be installed on the smartphone.


This article will describe how to set up a Time-based One Time Password (TOTP) for multi-factor authentication in SSH. I’ll cover Amazon Linux, ubuntu14 and ubuntu 16.


1. First, we need to update the instance:

sudo yum update -y

for Ubuntu

sudo apt-get update -y

2. Install google authenticator :

sudo yum install google-authenticator -y

for ubuntu

sudo apt-get install libpam-google-authenticator -y

3. Run google authenticator:

Run from ec2-user, as root login is disabled


same for Ubuntu. It will prompt you to answer some questions. first one is whether you want authentication to be time-based or not

Do you want authentication tokens to be time-based (y/n) y

In Ubuntu, you would be provided a QR code, scan it using the google authenticator app, while in amazon linux you’d be provided a url and a secret key. You could either scan the QR code using the google authenticator from the URL or directly enter the secret key on the app.

Second, whether you want to update the path

Do you want me to update your “/home/ec2-user/.google_authenticator” file (y/n) y

for ubuntu

Do you want me to update your “/home/ubuntu/.google_authenticator” file (y/n) y

Third for both Amazon Linux and Ubuntu

Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y

4. Configure SSH to use the Google Pluggable Authentication Module

sudo nano /etc/pam.d/sshd

Add the following line,

auth required pam_google_authenticator.so


auth required pam_google_authenticator.so nullok

“nullok”:This is to ensure that users which are not configured for Google Authenticator are not denied access during ssh session.

If we go without nullok, other users in the instance, for whom google authenticator has not been configured, will not be able to log in as the directory “/home//.google-authenticator will be missing for them. In order to avoid it, we will use “nullok”.

Also, comment

#auth substack password-auth

for ubuntu

# Standard Un*x password updating.
@include common-password
auth required pam_google_authenticator.so

Look for @include common-auth and comment it out

. . .
# Standard Un*x authentication.
#@include common-auth
. . .

save and exit.

5. Now, we’ll configure SSH to support this kind of authentication:

sudo nano /etc/ssh/sshd_config

Comment out the line which says ChallengeResponseAuthentication ‘no’ and uncomment the line which says ‘yes’

ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

Lastly, we need to let SSH know that it should ask for SSH key and a verification code to let us in. At the bottom of the file add:

AuthenticationMethods publickey,keyboard-interactive

for ubuntu

Look for ChallengeResponseAuthentication and set the value to “yes”

. . .
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes
. . .

Look for PasswordAuthentication and set it’s value to “no”

. . .
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
. . .

Next, add the following line to the bottom of the file

. . .
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

6. Restart SSH

sudo service sshd restart

for ubuntu14

sudo service ssh restart

for ubuntu 16

sudo systemctl restart sshd.service

7. Attempt Login

Try to login into another session, you’ll receive prompt to add verification code as follows:

8c85904334d2:~ diwakdub$ ssh ubuntu@ -i Downloads/ireland.pem
Verification code:
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-37-generic x86_64)

For Amazon Linux, as ec2-user:

login as: ec2-user
Authenticating with public key “imported-openssh-key”
Further authentication required
Using keyboard-interactive authentication.
Verification code:

No token or token has expired.

Leave a Reply

Your email address will not be published. Required fields are marked *