How to Protect SSH With Multi-Factor Authentication on Ubuntu 16.04

  1. Something the user knows, for instance a Personal Identification Number (PIN) or a password.
  2. Something the user has, such as mobile device capable of receiving one time verification codes.
  3. Something that defines the user, such as using biometric identification including fingerprints, facial and voice recognition.


  1. A valid Alibaba Cloud Account.
  2. An Alibaba Cloud ECS instance running Ubuntu 16.04 Operating System.
  3. A non-root user that can perform sudo tasks.

Step 1: Connecting to Your Alibaba ECS Instance

Locate the Public IP address associated with your Alibaba ECS instance and login to your server via an SSH client.

Step 2: Installing Google Authenticator PAM Module

Google Authenticator PAM module is a software that offers authentication verification using One Time Password (OTP). The module works hand in hand with a mobile-based OTP generator available for iOS, Android and Blackberry phones.

$ sudo apt-get update
$ sudo apt-get install libpam-google-authenticator

Step 3: Creating Secret Keys for Users

We can now go ahead and create secret keys for users using a helper app that comes with PAM module.

$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Do you want me to update your "/home/<username>/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n)n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Step 4: Configuring SSH to Support MFA

Next, we are going to configure SSH to support MFA. First, we are going to edit the file /etc/pam.d/sshd using a nano editor. Run the command below:

$ sudo nano /etc/pam.d/sshd
auth required nullok
$ auth required
$ sudo nano /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
$ sudo systemctl restart sshd

Step 5: Testing Multi Factor Authentication

You can now open another terminal window and try to SSH to your Ubuntu 16.04 server. Now, apart from the password prompt, you will be required to enter a verification code which you must obtain from your Google Authenticator app (2 forms of authentication).

$ sudo nano /etc/ssh/sshd_config
AuthenticationMethods publickey,password publickey,keyboard-interactive
$ sudo systemctl restart sshd
Using username "johndoe".
Authenticating with public key "johndoe"
Further authentication required
Using keyboard-interactive authentication.
Password: <enter password>
Using keyboard-interactive authentication.
Verification code: <enter verification code>
$ sudo nano /etc/pam.d/sshd
#@include common-auth


In this guide, we have taken you through the steps of securing your Ubuntu 16.04 Alibaba ECS with multi-factor authentication. We have shown you how to setup the Google PAM module and helper program to create secret codes for each user that requires MFA.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud


Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website: