Enable two-factor authentication for the SSH on your Raspberry PI

I am a big fan of RPi and I allowed one of my RPis (I have 3) to be accessible from the Internet via SSH. But, I was stressed because somebody might do a DoS on my device with the intent to hack into it and this way would prevent me to access it.

So, wanting to secure it, I researched a bit how to enable two-factor authentication for SSH. I don’t want expensive SMS services, actually I don’t want to pay anything at all.

I found some great tutorials on the net, and here is my take on how to enable this great service via Google’s open-source Authenticator.

Google provides the necessary software to integrate Google Authenticator’s (GA) time-based one-time password (TOTP) system. You can couple GA with an SSH server. After this, you’ll have to enter the code from your phone when you connect additional to the username and password.

GA doesn’t connect to Google as far as I can see in the code https://code.google.com/p/google-authenticator/.

You will have to use the PAM module which is available in Raspbian’s repository. The PAM module can add a two-factor authentication step to any PAM-enabled application. It supports:

  • Per-user secret and status file stored in user’s home directory
  • Support for 30-second TOTP codes
  • Support for emergency scratch codes
  • Protection against replay attacks
  • Key provisioning via display of QR code
  • Manual key entry of RFC 3548 base32 key strings


Here is how to enable it:

1.Install the lib and the program


# sudo apt-get install libpam-google-authenticator

Reading package lists… Done

Building dependency tree

Reading state information… Done

The following extra packages will be installed:


The following NEW packages will be installed:

  libpam-google-authenticator libqrencode3

0 upgraded, 2 newly installed, 0 to remove and 27 not upgraded.

Need to get 56.8 kB of archives.

After this operation, 181 kB of additional disk space will be used.

Do you want to continue [Y/n]?

Get:1 http://mirrordirector.raspbian.org/raspbian/ wheezy/main libqrencode3 armh                                                                                        f 3.3.0-2 [31.8 kB]

Get:2 http://mirrordirector.raspbian.org/raspbian/ wheezy/main libpam-google-aut                                                                                        henticator armhf 20110413.68230188bdc7-1.1 [25.0 kB]

Fetched 56.8 kB in 0s (102 kB/s)

Selecting previously unselected package libqrencode3:armhf.

(Reading database … 93376 files and directories currently installed.)

Unpacking libqrencode3:armhf (from …/libqrencode3_3.3.0-2_armhf.deb) …

Selecting previously unselected package libpam-google-authenticator.

Unpacking libpam-google-authenticator (from …/libpam-google-authenticator_2011                                                                                        0413.68230188bdc7-1.1_armhf.deb) …

Processing triggers for man-db …

Setting up libqrencode3:armhf (3.3.0-2) …

Setting up libpam-google-authenticator (20110413.68230188bdc7-1.1) …


2. Start the GA program and set it up

Note that I marked with heading two the answers which I provided to the tool.

Google Authenticator will present you with a secret key and several “emergency scratch codes.” Write down the emergency scratch codes and keep them safe because they can only be used one time each, and they’re intended for use if you don’t have your phone at hand.


# google-authenticator

https://www.google.com/chart?<some code>

Your new secret key is: K4QP6XXXXXXXXJLQ

Your verification code is 280506

Your emergency scratch codes are:







Do you want me to update your “~/.google_authenticator” file (y/n) y


Do you want to disallow multiple uses of the same authentication

token? This restricts you to one login about every 30s, but it increases

your chances to notice or even prevent man-in-the-middle attacks (y/n) y


By default, tokens are good for 30 seconds and in order to compensate for

possible time-skew between the client and the server, we allow an extra

token before and after the current time. If you experience problems with poor

time synchronization, you can increase the window from its default

size of 1:30min to about 4min. Do you want to do so (y/n) y


If the computer that you are logging into isn’t hardened against brute-force

login attempts, you can enable rate-limiting for the authentication module.

By default, this limits attackers to no more than 3 login attempts every 30s.

Do you want to enable rate-limiting (y/n) y


Now comes the interesting part: enable the authentication process.


3. Set up the app on your mobile


Enter the secret key in the Authenticator app on your phone (official apps are available for Android, iOS, and even Blackberry). I personally love the scan barcode feature – go to the URL located near the top of the command’s output and you can scan a QR code with your phone’s camera. After this, you will see the following in your app (here on iOS):


Note that I have two codes. The first one is from Google’s two-factor authentication for their services and the second one is for RPi.

4. Activate GA to work with the PAM module and SSH

Open the/etc/pam.d/sshd file on your system (for example, with the sudo nano /etc/pam.d/sshd command or just use mc) and add the following line to the file:

#auth required pam_google_authenticator.so

Open the /etc/ssh/sshd_config file, locate the ChallengeResponseAuthentication line which is set by default to “no”, and change it to “yes”:

ChallengeResponseAuthentication yes

Finally, restart the SSH server so your changes will take effect:

#sudo /etc/init.d/sshd restart


Do not close the active ssh window if you have one. If something went wrong then you can quick debug it. Open a new ssh window instead.

5. Test your service

login as: sorin

Using keyboard-interactive authentication.


Using keyboard-interactive authentication.

Verification code: 123456



That’s it. I hope it works out of the box and you can enjoy your Raspberry Pi in safety.


© Copyright Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

Comments are closed.

%d bloggers like this: