Настройка второго фактора аутентификации (TOTP, Time-based One-Time Password) для SSH.
Несмотря на то, что используется пакет google-authenticator, в качестве мобильного приложения генерации одноразовых ключей могут быть использованы и другие - Я.Ключ, SafeAuth, FreeOTP и т.п.
apt install -y libpam-google-authenticator
nano /etc/pam.d/sshd
auth required pam_google_authenticator.so
nano /etc/ssh/sshd_config
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication yes
systemctl restart sshd.service
google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Enter code from app (-1 to skip): -1
Do you want me to update your ".google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication token? (y/n) y
Do you want to ... increase the original generation time limit? (y/n) n
Do you want to enable rate-limiting? (y/n) y
init 6
ssh root@10.20.30.40
(root@10.20.30.40) Password:
(root@10.20.30.40) Verification code: