Google Authenticator is open source software, currently licensed under the Apache 2.0 license. It is an excellent supplement to a working RSA model for additional security measures.
ghorr no longer recommends using the Google Authenticator Android app because the application is no longer fully open source. andOTP is now recommended which currently is open source.
Setting up Google Authenticator
Installing Google Authenticator
You can easily install google-authenticator-libpam-hg from AUR using yaourt:
yaourt -S google-authenticator-libpam-git
Adjusting the SSHD and PAM configuration files
/etc/ssh/sshd_config with your favorie text editor and make sure that
ChallengeResponseAuthentication is set to
Next you have to edit
/etc/pam.d/sshd. We are only interested in the lines starting with
If you want to have to enter both your regular password and a one-time password to login, change the configuration like this:
Warning: Every user who has not yet generated a secret file will no longer be able to login via SSH.
If you want to be able to login using your regular password or a one-time password, change the configuration file like this:
Using Google Authenticator
Just run the command
google-authenticator as the user you want to generate the secret for and follow the instructions.
You probably want to install the andOTP app for Android to generate your one-time passwords.
google-authenticator will show you a QR-code you can scan on your phone if you have installed the
qrencode packge. Otherwise you have to enter the secret key manually on your phone.
If an one-time password is required for logging in, you should print out your emergency codes and store them in a safe place.
Removing Google Authenticator
These are the defaults for the changed parts of the configuration files: