Install 2-factor authentication on the Linux server

Install 2-factor authentication on the Linux server

Enabling two factor authentication (2FA) to enhance the security of your important accounts is becoming more and more common these days. However, you might be surprised to learn that you can do the same with Raspberry Pi. You can enable 2FA on Raspberry Pi, and then you will be prompted to enter the verification code when accessing remotely via Secure Shell (SSH).



Access to your Raspberry Pi through SSH

Many people use Raspberry Pi at home as a file or media server . This has become quite common with launching Raspberry Pi 4 which has both USB 3 and Gigabit Ethernet. However, when you configure a server of this type, you often want to run it “headless”; without a monitor, keyboard, or mouse. This is especially true if you are going to put Raspberry Pi away from the TV or somewhere else. Either way, this means you will need enable Secure Shell (SSH) for remote access.

However, it is also quite common to set up your server so that you can access your files when you are away from home, making your Raspberry Pi available from the Internet.

Most of us don’t intend to leave home often yet, but if you took the time right now to build a file server, you may want to consider adding extra security. If you’re going to make the server available from the Internet, you’ll probably want to enable two-factor authentication (2FA) using a one-time password based on time (TOTP).

What is two-factor authentication?
Two-factor authentication is an additional level of protection. In addition to the password, “something you know”, you will need another information to login. This second factor will be based either on “what you have”, like a smartphone, or on “what you are”, “like biometric information.

We are going to set “what you have” and use your smartphone as the second factor to protect your Raspberry Pi.

Operating System Upgrade

The first thing you need to do is make sure that your Raspberry Pi is installed last version of Raspbian . If you are using a relatively recent version of the operating system, you can do so from the command line:

$ sudo apt-get update
 $ sudo apt-get fullupgrade

However, if this is the first time you take your Raspberry Pi out of a box, you may want to install a new copy of Raspbian using the new Raspberry Pi Imager so you know you are working with a good image.

Enable Secure Shell

In Raspbian, the SSH server disconnected at boot . However, since we are going to run the board without a monitor or keyboard, we need enable it, if we want to be able to connect to our Raspberry Pi over SSH.

The easiest way to enable SSH is from your desktop. Go to the Raspbian menu and select “Settings> Raspberry Pi Configuration”. Then select the “Interfaces” tab and click the switch to enable SSH, then click “OK”.

You can also turn it on from the command line using systemctl :

$ sudo systemctl on ssh
 $ sudo systemctl start ssh

You can also enable SSH with raspi-config or, if you are installing an operating system for the first time, you can enable SSH when writing the SD card .

Enable call-response

Then we need to tell the SSH daemon to enable “request-response” passwords. Go ahead and open the SSH configuration file:

$ sudo nano / etc / ssh / sshd_config

Enable the response by changing the ChallengeResponseAuthentication from ” no” by default to ” yes”.

Editing / etc / ssh / ssd_config .

Then restart SSH daemon :

$ sudo systemctl reload ssh

A good idea is to open the terminal on your laptop and make sure that you can still connect to Raspberry Pi via SSH at this stage, although you will not yet be prompted to enter the 2FA code. It is prudent to check that at this stage still works.

Setup Two-Factor Authentication

The first thing you need to do is to upload to your phone the application that will generate TOTP. One of the most frequently used is Google Authenticator. It is available for Android , iOS and Blackberry , and there is even an open source version of the app, available at GitHub .


Google Authenticator in the App Store.

So go ahead and install Google Authenticator or another app 2FA , the same as Authy , to your phone. Then install Google Authenticator PAM module on your Raspberry Pi:

$ sudo apt install libpam-google-authentication

Now we have two-factor authentication installed on both our phone and Raspberry Pi, and we are ready to start configuring it.

Two Factor Authentication Configuration

Now you should launch Google Authenticator from the command line – without using sudo – at your Raspberry Pi in order to generate a QR code:

$ google-authenticator

After that you probably will have to change the size of the terminal window in order a QR code will be displayed correctly. Unfortunately, it is a little wider than the standard 80 symbols.

QR code generated by Google-Authenticator . Don’t worry, it isn’t a QR code of my key; I have created one only for this post, which wasn’t used.

Don’t move forward yet! Before doing anything else, copy the codes of the emergency services and put them in a safe place.

These codes will allow you to access Raspberry Pi – and turn off 2FA – if you lose your phone. Without them, you will not be able to connect to Raspberry Pi over SSH if you lose or break the device you are using for authentication.

Then, before we continue to work with Google Authenticator on Raspberry Pi, open the Google Authenticator application on your phone and click the plus sign (+) in the upper right corner, then click “Scan the bar code”.

Your phone will ask you if you want to allow the application to access your camera; you must say “Yes”. The camera view will be displayed. Place the barcode right in the green field on the screen.



Scanning a QR code by means of the application Google Authenticator.

As soon as the application of your phone recognizes a QR code, it will add your new account and automatically start generating TOTP codes.

TOTP in Google Authenticator application.

Your phone will generate a new one-time password every thirty seconds. However this code will not be so useful until we finish what we did on your Raspberry Pi. Go back to the terminal window and answer “Y” to the question whether Google Authenticator should update your .google_authenticator file .

Then answer “Y” to prohibit multiple use of the same authentication token, “N” to increase the time shift window and “Y” to limit the speed to protect against brute force attacks.

You are done here. Now all we have to do is to enable 2FA.

Enable two-factor authentication

We are going to use Linux Authentication plug-ins (PAM) which provide dynamic authentication support for applications and services to add 2FA to SSH on Raspberry Pi.

Now we need to configure PAM to add 2FA:

$ sudo nano /etc/pam.d/sshd

Add the required for authentication to the beginning of the file. You can do this above or below the line @include common-auth .

Editing /etc/pam.d/sshd .

Since I prefer to receive a confirmation code request after entering a password, I added this line after the line @include . If you want the code to be requested before entering the password, you must add it before the line @include .

Now restart the SSH daemon :

$ sudo systemctl restart ssh

Then open the terminal window on your laptop and try to connect to Raspberry Pi via SSH.


If everything went according to plan, when you connect to Raspberry Pi via SSH, you will be offered to enter TOTP after password request.


SSH to my Raspberry Pi.

You should open Google Authenticator on your phone and enter the six-digit code when prompted. Then you should enter into your Raspberry Pi as usual.

WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: