Secure SSH access with 2-step authentication (extended)


In this quick tutorial I’ll show you how to secure SSH access to your Linux server with 2-step authentication. Why did I call this post ‘extended’? Because I’ll show you how to add extra rules so you don’t have to use 2-step authentication from certain locations.

I’m not going to explain what 2-step authentication is. You’ll need SSH or CLI access to your Linux device with root rights and a 2-step authentication app on your phone, tablet or PC:

The PAM-module that we need is called libpam-google-authenticator so on Debian/Ubuntu/… you can use the following command to install this:

sudo apt-get update && sudo apt-get install -y libpam-google-authenticator

Next, run


to set this up for your account. Do not use sudo or something like that, use your own account!

Now open the file /etc/pam.d/sshd, you can do this with

sudo nano /etc/pam.d/sshd

and add the following at the end of the file:

auth [success=1 default=ignore] accessfile=/etc/security/access-local.conf
auth required

Now create the file /etc/security/access-local.conf:

sudo nano /etc/security/access-local.conf

and add the following:

+ : ALL : ????
- : ALL : ALL

Replace the ???? with the subnet or the IP that should be allowed to access SSH without the second verification step. You could enter an IP like or a subnet like

Now edit the file _/etc/ssh/sshdconfig:

sudo nano /etc/ssh/sshd_config

and make sure it says

ChallengeResponseAuthentication yes

By default it says no.

Now restart the SSH service and you should be good!

sudo service ssh restart


Ahtanu has let me know via Twitter that you’d better make sure your device is properly configured as an NTP client. Most desktop Linux distributions have this already in order but here are the instructions for Debian-based distributions to make sure NTP is configured properly.

First, update or install the NTP client.

sudo apt-get update && sudo apt-get install -y ntp ntp-simple ntpdate

Next, set the timezone and the date on your device:

sudo tzselect
sudo date --set 2014-12-31
sudo date --set 20:20:20

Now edit the file ntp.conf:

sudo nano /etc/ntp.conf

and make sure it has 2 NTP-servers:


Eventually restart the NTP service:

sudo service ntpd restart