[mpetrov]

It would be great if this was supported along with key based authentication. Using the PAM method outlined here works only with password based authentication and the TFA is completely bypassed when a key is used.

I researched this a few months back and was not able to find a clean way to add TFA to a key based login. Any suggestions from other HN readers?

[antoncohen]

The latest version of OpenSSH (6.2) has added the AuthenticationMethods configuration option which allows you to specify multiple required methods, like publickey + password. With UsePAM 'password' should be passed to PAM, and in turn Google Authenticator (which would be like 3-factor auth). [1]

Red Hat added a similar though slightly different patch with RequiredAuthentications1 and RequiredAuthentications2. They patched OpenSSH 5.3 in RHEL 6 (and CentOS) as of 2012-06-20. [2]

So instead of Google Authenticator you could use publickey + password for 2-factor auth.

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=983

[2] https://bugzilla.redhat.com/show_bug.cgi?id=657378

[draebek]

In addition to what antoncohen wrote, I've seen a lot of people suggest using ForceCommand in sshd_config to run something that will check the Google authenticator code after you've completed key-based authentication. I think ForceCommand has been in sshd for a while, and it might be more suitable for some environments.

I got the ForceCommand idea from a thread last year about setting up two factor SSH auth using Authy: https://news.ycombinator.com/item?id=4444926

[zobzu]

ForceCommand will not let you use SFTP or SCP due to the prompt. You do need the newer version of OpenSSH for proper MFA.

[danielpal]

Hey Michael, you can try ours, it's specifically designed to work along with certificate's instead of passwords:

http://blog.authy.com/two-factor-ssh-in-thirty-seconds

(disclaimer: I am a founder of the company).