With the introduction of Google Authenticator and the ability to use it with ssh I was wondering if someone has gone through a sshd_config setup which would
The idea being to usually connect seamlessly with a key and, usually in less friendly environments, connect with a two factor mechanism.
Yes, I have a setup where I can ssh to my server using public key authentication, with a fallback to two-factor authentication with Google Authenticator + password when my private key is not available. These are the steps you can use to set it up.
My server is running Ubuntu Bionic Beaver (18.04.1). You can install Google Authenticator using apt:
$ sudo apt install libpam-google-authenticator
Open /etc/pam.d/sshd and add the following line at the top:
auth optional pam_google_authenticator.so
Open /etc/ssh/sshd_config and change one line. The existing line is
ChallengeResponseAuthentication no
and you should change it to
ChallengeResponseAuthentication yes
The next step is to turn on Google Authenticator for your account. You do this by simply running:
$ google-authenticator
Make sure you run this as the user who will be making ssh connections, not root. Make a note of your new secret key and your emergency scratch codes. The wizard will ask you several questions to configure the security settings for your account.
I use the Google Authenticator app for iPhone. This app has a [+] button that allows me to add a new Time Based Token using the secret key I obtained from the google-authenticator command on my server. It was trivial to set up. I can't help you with apps on any other platform, but I imagine the process is equally simple.
The last thing you need to do is restart sshd.
$ sudo /etc/init.d/ssh restart
At this point, when you try to connect to the server when your private key is available, authentication just works. When your private key is not available, you will get a prompt for a verification code, then your account password.
