No doubt about it, we're living in a dangerous world of anti-do-gooders in our midst. And what better way to protect your little computer from said people than adding a little free 2FA to your RPi?

I currently have four RPi boxes (little boxes at that) running in my house; two of them are running Raspian Stretch and the other two are running Ubuntu 18.04, all four now have 2FA running on them using the same install methods, and all four are working great. On a side note, you can still use secure copy scp to go SSH copy from one machine to another without issue.

In truth, I think this should actually be call Three-Factor Authentication as opposed to Two; there are three sets of passwords/numbers you need to enter each time to gain access... I'll explain. Let's install this thing.

Run

sudo apt install libpam-google-authenticator

This'll install a few packages. We now need to make an edit to /etc/pam.d/sshd via

sudo nano /etc/pam.d/sshd

And at the very bottom of this file add the line

auth required pam_google_authenticator.so

We also need to edit /etc/ssh/sshd_config via

sudo nano /etc/ssh/sshd_config

In this file you're looking for a lines that reads

ChallengeResponseAuthentication no

And change this to a yes

ChallengeResponseAuthentication yes

Save that file.

We're ready to set this up calling the Google Authenticator installer via (NOTE the lack of sudo, just call it without).

google-authenticator

You'll be asked if you want to use a time-based system, of course you do, answer y. You'll then be given you QR code for you app of choice (or you can use the secret key). I use the 1Password app myself. I suggest taking a screen shot of this at it has some very important info: your QR code/secret key, your verification code, and five one-time use keys in case you loose your phone or something.

Once you take down this info you'll need to answer a few more questions, to be safe, just answer yes y to all of these.

I hope you've kept your info and added it into a Google Authenticator compatible app, because it's time to test it out- yes, it was that easy. Be aware, there is no-way to go back and fix this if you're locked out (I know, trust me).

After logging out of your server, log back in as usual, via SSH, and have your credentials ready. This is what it looks like via a standard terminal:

You see, next to the yellow and red, the three different spots to enter your credential data; your verification code that was sitting just below the QR Code/Secret Key, your actual SSH password, and the third is the code your app gives you every 30-seconds. I also use Termius as my default SSH program, if you're using this you'll be asked to provide the three sets of numbers/passwords via the pop-up windows.

I hope all worked out, and you're in. Your server is now protected just a little bit more than if was five minutes ag0. It may be a little cumbersome, but I'd rather it be that than under-secure.