Some links in this post may be affiliate links. We may get paid if you buy something or take an action after clicking one of these, but without addictional costs for you compared to direct buying.
How to add 2 factor authentication (2FA) in Raspberry PI OS Lite with Google Authenticator for ssh login
Debian based systems can easily integrate Google Authenticator to enhance security in your ssh login.
This guide will show how to install Google Authenticator to add a second authentication level in your ssh session.
What We Need
As usual, I suggest adding from now to your favourite e-commerce shopping cart all the needed hardware, so that at the end you will be able to evaluate overall costs and decide if to continue with the project or remove them from the shopping cart. So, hardware will be only:
Raspberry PI (including proper power supply or using a smartphone micro usb charger with at least 3A)
First of all, with your Smartphone install Google Authenticator App from Google Play store.
From Raspberry side, if not still installed, please prepare OS: install Raspberry PI OS Lite in your Raspberry PI.
Make your OS up to date:
sudo apt update
sudo apt upgrade
Install Google Authenticator PAM module:
sudo apt install libpam-google-authenticator
Configure SSH to use Google Authenticator PAM module. Edit the following file:
sudo nano /etc/pam.d/sshd
appending this line at the end:
auth required pam_google_authenticator.so
Restart ssh service:
sudo systemctl restart ssh.service
Enable challenge in ssh authentication config. Edit the following file:
sudo nano /etc/ssh/sshd_config
change ChallengeResponseAuthentication from no to yes, so that this part appears like the following:
#Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes
Now run google authenticator from terminal by simply typing:
google-authenticator
Before starting to configure, please note that your terminal will show a link on top of a giant QR code:
This link will be used later for Google Authenticator app in order to receive autenthication token. Copy it in safe location, we’ll use it later.
Under the QR code, you will find emergency codes. Keep them in safe location, these codes will be necessary if you loose your smartphone or if it becomes unusable:
Now go down to answer following config questions. Below suggested answers:
Make tokens “time-base””: y
Update the .google_authenticator file: y
Disallow multiple uses: y
Increase the original generation time limit: n
Enable rate-limiting: y
Ok, from Raspbian side configuration is complete.
Open the link just saved (the one above giant QR code keep from terminal) in your browser. This will show a page with a QR code:
In your SmartPhone, open Google Authenticator app and tap the button with cross in bottom right side:
then select “Scan a Barcode”. With your camera, please focus on QR code in your browser.
A new token will appear in your screen:
This token will change time by time and you will use it together with your password to login in ssh.
Reboot your Raspberry PI:
sudo reboot
In your new ssh login, you will be asked for:
User id
Password (which is your ssh keyboard passowrd)
Verification code (which is code from Google Autenthicator)
Enjoy!
How useful was this post?
Click on a star to rate it anonymously!
Average rating 5 / 5. Vote count: 2
No votes so far! Be the first to rate this post.
We are sorry that this post was not useful for you!
2 thoughts on “How to add 2 factor authentication (2FA) in Raspberry PI OS Lite with Google Authenticator for ssh login”
Excellent post, just added 2 factor codes to SSH access. Using Yubikey Authenticator with a Yubi NFC key.
Had looked at other websites, but above most straightforward explanation and as a raspberry noob very important
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Cookie
Duration
Description
AWSELBCORS
session
This cookie is used by Elastic Load Balancing from Amazon Web Services to effectively balance load on the servers.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
_ga_*
1 year 1 month 4 days
Google Analytics sets this cookie to store and count page views.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
__qca
1 year 26 days
The __qca cookie is associated with Quantcast. This anonymous data helps us to better understand users' needs and customize the website accordingly.
_dlt
1 day
Zendesk set this cookie to create a unique ID for the session. This enables the website to collect data on visitor behaviour for statistical purposes.
mc
1 year 1 month
Quantserve sets the mc cookie to track user behaviour on the website anonymously.
Excellent post, just added 2 factor codes to SSH access. Using Yubikey Authenticator with a Yubi NFC key.
Had looked at other websites, but above most straightforward explanation and as a raspberry noob very important
Thank you for your feedback, glad it helped!