Install Google Authenticator package on your server (let us call it ServerName)
sudo apt-get install libpam-google-authenticator
Integrate Google Authenticator into system's PAM (password authentication module)
sudo vi /etc/pam.d/sshd and add the following line (at the bottom)
auth required pam_google_authenticator.so
Configure SSH to perform Challenge Response Authentication
sudo vi /etc/ssh/sshd_config and ensure following line exists
ChallengeResponseAuthentication yes
service ssh restart
Launch Google Authenticator command to enable it and register it with your mobile
google-authenticator this command will generate a QRcode which you should scan using Google Authenticator app installed on your mobile. Alternatively, this command also generates a list of 5 one-time verification codes
Each user of the ServerName machine must run this command in order to SSH into ServerName
Try to ssh localhost, it should work (it should ask you verification code followed by password)
ssh to ServerName from same machine, it should work
ssh from another machine, if it does not work, the clocks of ServerName and SSH client machines are out of sync
sudo apt-get install ntp on ServerName machine and appropriate measures on client machine
Google Authenticator code for installation on Debian or other OS
Updated on: June 29, 2013