How to add 2 factor authentication (2FA) in Raspberry PI OS Lite with Google Authenticator for ssh login

Debian based systems can easily integrate Google Authenticator to enhance security in your ssh login.

This guide will show how to install Google Authenticator to add a second authentication level in your ssh session.

What We Need

As usual, I suggest adding from now to your favourite e-commerce shopping cart all the needed hardware, so that at the end you will be able to evaluate overall costs and decide if to continue with the project or remove them from the shopping cart. So, hardware will be only:

• Raspberry PI (including proper power supply or using a smartphone micro usb charger with at least 3A)
• micro SD card (at least 16 GB, at least class 10)
• an Android smartphone

Step-by-Step Procedure

First of all, with your Smartphone install Google Authenticator App from Google Play store.

From Raspberry side, if not still installed, please prepare OS: install Raspberry PI OS Lite in your Raspberry PI.

Make your OS up to date:

sudo apt update
sudo apt upgrade

Install Google Authenticator PAM module:

sudo apt install libpam-google-authenticator

Configure SSH to use Google Authenticator PAM module. Edit the following file:

sudo nano /etc/pam.d/sshd

appending this line at the end:

auth required pam_google_authenticator.so

Restart ssh service:

sudo systemctl restart ssh.service

Enable challenge in ssh authentication config. Edit the following file:

sudo nano /etc/ssh/sshd_config

change ChallengeResponseAuthentication from no to yes, so that this part appears like the following:

#Change to yes to enable challenge-response passwords (beware issues with 
# some PAM modules and threads)
ChallengeResponseAuthentication yes

Now run google authenticator from terminal by simply typing:

google-authenticator

Before starting to configure, please note that your terminal will show a link on top of a giant QR code:

This link will be used later for Google Authenticator app in order to receive autenthication token. Copy it in safe location, we’ll use it later.

Under the QR code, you will find emergency codes. Keep them in safe location, these codes will be necessary if you loose your smartphone or if it becomes unusable:

Now go down to answer following config questions. Below suggested answers:

• Make tokens “time-base””: y
• Update the .google_authenticator file: y
• Disallow multiple uses: y
• Increase the original generation time limit: n
• Enable rate-limiting: y

Ok, from Raspbian side configuration is complete.

Open the link just saved (the one above giant QR code keep from terminal) in your browser. This will show a page with a QR code:

In your SmartPhone, open Google Authenticator app and tap the button with cross in bottom right side:

then select “Scan a Barcode”. With your camera, please focus on QR code in your browser.

A new token will appear in your screen:

This token will change time by time and you will use it together with your password to login in ssh.

Reboot your Raspberry PI:

sudo reboot

In your new ssh login, you will be asked for:

• User id
• Password (which is your ssh keyboard passowrd)
• Verification code (which is code from Google Autenthicator)

Enjoy!