Google Authenticator TOTP for SSH on Anubiz VPS
TOTP via PAM adds a second factor to SSH key auth - even a stolen private key is useless without the 6-digit code. On an Anubiz VPS this is overkill for a hobby instance, but the right call for a production server you ssh into rarely and that holds anything sensitive. Walkthrough is libpam-google-authenticator on Ubuntu 24.04 with policy: key AND TOTP both required.
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Step 1: Install PAM Module
apt install libpam-google-authenticator.
Step 2: Per-User Setup
As your sudo user: google-authenticator. Scan QR with Aegis or Authy. Save scratch codes offline. Accept time-based tokens, disallow reuse, rate limit.
Step 3: PAM Config
Add to /etc/pam.d/sshd at the top: auth required pam_google_authenticator.so nullok. nullok lets users without setup still log in - remove once all users are enrolled.
Step 4: sshd Config
/etc/ssh/sshd_config.d/99-2fa.conf: ChallengeResponseAuthentication yes, UsePAM yes, AuthenticationMethods publickey,keyboard-interactive. Reload sshd.
Step 5: Test Carefully
Keep a second session open. From a new terminal, SSH in - you should get a Verification code: prompt after key auth. Type the TOTP. If lockout: panel rescue boot, edit sshd_config.d/99-2fa.conf out.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.