I recently tried to setup SSH key + TOTP authentication to my Wordpress server. This proved to be a bit harder than I thought it would be, since there are guides to do exactly that on my VPS provider. I am guessing versions of PAM and SSH have changed configuration a bit or something. I’ll show you how to set this up below. Note that I followed this tutorial from DigitalOcean, so this post is going to roughly follow that one.

I’m going to assume you’ve done the following:

  1. Disable root login via SSH (DO IT!)
  2. Configure SSH key authentication for your user that is in sudoers

If you haven’t done either of those, Google it. Plenty of people have written it up.

“Step 0” when doing things like this: SNAPSHOT!!!

Follow everything in DigitalOcean’s post thru Step 1, which installs Google Authenticator and does the initial configuration of it.

If you choose to live dangerously and don’t snapshot, that’s your risk to take. Good luck, brave adventurer.

My procedure changes at Step 2:

/etc/pam.d/sshd

Comment out this line:

@include common-auth

Now it should be:

# @include common-auth

Add this line to the bottom:

auth required pam_google_authenticator.so nullok

(You can remove the “nullok” after all users have enrolled their TOTP device.)

/etc/ssh/sshd_config

Add the following line at the bottom of the file:

AuthenticationMethods publickey,keyboard-interactive

Restart sshd:

service sshd restart

Duplicate your session & test that it works before disconnecting (or you could lock yourself out of SSH forever).