SSH Multi-Factor Authentication (TOTP) on Debian 12
Step 1 – Install Google Authenticator PAM module
apt install -y libpam-google-authenticatorStep 2 – Configure for a user
google-authenticatorAnswer the prompts:
- Time-based tokens: y
- Update
~/.google_authenticator: y - Disallow multiple uses: y
- 30-second window: n (or y for loose clock tolerance)
- Rate limiting: y
Scan the QR code with Google Authenticator, Aegis, or any TOTP app.
Step 3 – Configure PAM
Edit /etc/pam.d/sshd:
# Add BEFORE the existing auth lines:
auth required pam_google_authenticator.soStep 4 – Configure sshd_config
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
UsePAM yesStep 5 – Restart sshd
systemctl restart sshd 2>/dev/null || rcctl restart sshdStep 6 – Test
ssh [email protected]
# Will prompt for key passphrase, then TOTP code