Don't use a password. Generate a passphrase-less SSH key and push it to your VM.
If you already have an SSH key, you can skip this step…
Just hit Enter for the key and both passphrases:
$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
Copy your keys to the target server:
$ ssh-copy-id id@server
id@server's password:
Now try logging into the machine, with ssh 'id@server'
, and check-in:
.ssh/authorized_keys
Note: If you don't have .ssh dir and authorized_keys file, you need to create it first
to make sure we haven’t added extra keys that you weren’t expecting.
Finally, check to log in…
$ ssh id@server
id@server:~$
You may also want to look into using ssh-agent
if you want to try keeping your keys protected with a passphrase.
Red Hat have added a patch to OpenSSH in RHEL (and therefore CentOS) 6.3 to require multiple authentication mechanisms, so you can do something like this:
RequiredAuthentications2 publickey,keyboard-interactive
See the release notes for not much more detail.
Unfortunately this feature doesn't seem to be in OpenSSH upstream nor Ubuntu 12.04, so unless you want to find the patch and recompile OpenSSH I'm afraid you're out of luck.
Best Answer
Yes, I have a setup where I can
ssh
to my server using public key authentication, with a fallback to two-factor authentication with Google Authenticator + password when my private key is not available. These are the steps you can use to set it up.Installing Google Authenticator
My server is running Ubuntu Bionic Beaver (18.04.1). You can install Google Authenticator using
apt
:Configuring sshd
Open
/etc/pam.d/sshd
and add the following line at the top:Open
/etc/ssh/sshd_config
and change one line. The existing line isand you should change it to
Configuring Google Authenticator for Your Account
The next step is to turn on Google Authenticator for your account. You do this by simply running:
Make sure you run this as the user who will be making ssh connections, not root. Make a note of your new secret key and your emergency scratch codes. The wizard will ask you several questions to configure the security settings for your account.
Configuring Your Mobile App
I use the Google Authenticator app for iPhone. This app has a [+] button that allows me to add a new Time Based Token using the secret key I obtained from the
google-authenticator
command on my server. It was trivial to set up. I can't help you with apps on any other platform, but I imagine the process is equally simple.Pulling the Trigger
The last thing you need to do is restart
sshd
.At this point, when you try to connect to the server when your private key is available, authentication just works. When your private key is not available, you will get a prompt for a verification code, then your account password.
Bingo, two-factor authentication.