How to add 2 factor authentication (2FA) in Raspberry PI OS Lite with Google Authenticator for ssh login


Last Updated on 6th February 2022 by peppe8o

Debian based systems can easily integrate Google Authenticator to enhance security in your ssh login.

This guide will show how to install Google Authenticator to add a second authentication level in your ssh session.

What We Need

As usual, I suggest adding from now to your favourite e-commerce shopping cart all the needed hardware, so that at the end you will be able to evaluate overall costs and decide if to continue with the project or remove them from the shopping cart. So, hardware will be only:

Step-by-Step Procedure

First of all, with your Smartphone install Google Authenticator App from Google Play store.

From Raspberry side, if not still installed, please prepare OS: install Raspberry PI OS Lite in your Raspberry PI.

Make your OS up to date:

sudo apt update
sudo apt upgrade

Install Google Authenticator PAM module:

sudo apt install libpam-google-authenticator

Configure SSH to use Google Authenticator PAM module. Edit the following file:

sudo nano /etc/pam.d/sshd

appending this line at the end:

auth required

Restart ssh service:

sudo systemctl restart ssh.service

Enable challenge in ssh authentication config. Edit the following file:

sudo nano /etc/ssh/sshd_config

change ChallengeResponseAuthentication from no to yes, so that this part appears like the following:

#Change to yes to enable challenge-response passwords (beware issues with 
# some PAM modules and threads)
ChallengeResponseAuthentication yes

Now run google authenticator from terminal by simply typing:


Before starting to configure, please note that your terminal will show a link on top of a giant QR code:

google auth app link

This link will be used later for Google Authenticator app in order to receive autenthication token. Copy it in safe location, we’ll use it later.

Under the QR code, you will find emergency codes. Keep them in safe location, these codes will be necessary if you loose your smartphone or if it becomes unusable:

google auth app link_2

Now go down to answer following config questions. Below suggested answers:

  • Make tokens “time-base””: y
  • Update the .google_authenticator file: y
  • Disallow multiple uses: y
  • Increase the original generation time limit: n
  • Enable rate-limiting: y

Ok, from Raspbian side configuration is complete.

Open the link just saved (the one above giant QR code keep from terminal) in your browser. This will show a page with a QR code:

Google auth QR code to scan

In your SmartPhone, open Google Authenticator app and tap the button with cross in bottom right side:

Google Authenticator add code

then select “Scan a Barcode”. With your camera, please focus on QR code in your browser.

A new token will appear in your screen:

Google Authenticator add code 2

This token will change time by time and you will use it together with your password to login in ssh.

Reboot your Raspberry PI:

sudo reboot

In your new ssh login, you will be asked for:

  • User id
  • Password (which is your ssh keyboard passowrd)
  • Verification code (which is code from Google Autenthicator)
raspberry google auth login


How useful was this post?

Click on a star to rate it anonymously!

Average rating 5 / 5. Vote count: 2

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?