How to use two factor Google authenticator (TOTP) in SSH and GDM logins

Google’s two factor adds a time-based one time token/password algorithm TOTP – Time-base One-Time Password OTP to the regular username+password authentication.

  • Client-side apps: install Android or any of the other apps.

  • Server-side install

# using pre-compiled binaries from repos
$ apt-get install libpam-google-authenticator
$ yum install google-authenticator (needs EPEL)
# alternatively, to compile see

# generate authentication key, answer yes
$ google-authenticator
# you will see a secret key and it's QR code, enter enther on your client-side app

# enable google authenticator on sshd
$ cat /etc/pam.d/sshd
auth required
$ cat /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
$ service ssh restart | systemctl restart sshd

# enable google authenticator on gdm
$ cat /etc/pam.d/gdm-password
auth required

from How to set up two-factor authentication for SSH login on Linux and Secure Your Linux Desktop and SSH Login Using Two Factor Google Authenticator.

freeotp is a two-factor authentication client using one-time password protocols, from Red Hat. Supports Android and iOS. Implements ​HOTP and ​TOTP.

Since any standards-compliant HOTP or TOTP server should work with FreeOTP, there is no absolute need for the project to produce its own server-side code. See Using OTP Tokens and 2FA with FreeIPA 4.0.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s