# Enable 2FA

## Enable Two-Factor Authentication <a href="#optional-enable-two-factor-authentication" id="optional-enable-two-factor-authentication"></a>

SSH can also be configured to require a Google Authenticator code, which means that an attacker that somehow compromised your SSH key and its passphrase would **still need the device with the authenticator app on it** (presumably your phone). This adds an extra layer of security to your system.

{% hint style="info" %}
WARNING

We **strongly recommend** that you open a second terminal with an SSH connection to your node, just in case you misconfigure something. This way, you will have a backup that is still connected in case you lock yourself out, so you can easily undo your mistakes.

If you **do** manage to lock yourself out, you will need to physically access your node via its local monitor and keyboard to log in and repair the misconfiguration.
{% endhint %}

Start by installing [Google Authenticator](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\&hl=en_US\&gl=US) (or a compatible equivalent) on your phone if you don't already have it. For Android users, consider [andOTP](https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp\&hl=en_US\&gl=US) which is an open-source alternative that supports password locking and convenient backups.

Next, install the Google Authenticator module on your node with this command:

```
sudo apt install -y libpam-google-authenticator
```

Now tell the `PAM` (pluggable authentication modules) to use this module. First, open the config file:

```
sudo nano /etc/pam.d/sshd
```

Find `@include common-auth` (it should be at the top) and comment it out by adding a `#` in front of it, so it looks like this:

```
# Standard Un*x authentication.
#@include common-auth
```

Next, add these lines to the top of the file:

```
# Enable Google Authenticator
auth required pam_google_authenticator.so
```

Then save and exit the file with `Ctrl+O`, `Enter`, and `Ctrl+X`.

Now that `PAM` knows to use Google Authenticator, the next step is to tell `sshd` to use `PAM`. Open the `sshd` config file:

```
sudo nano /etc/ssh/sshd_config
```

Now change the line `KbdInteractiveAuthentication no` to `KbdInteractiveAuthentication yes` so it looks like this:

```
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication yes
```

(Older versions of SSH call this option `ChallengeResponseAuthentication` instead of `KbdInteractiveAuthentication`.)

Add the following line to the bottom of the file, which indicates to `sshd` that it needs both an SSH key and the Google Authenticator code:

```
AuthenticationMethods publickey,keyboard-interactive:pam
```

Then save and exit the file with `Ctrl+O`, `Enter`, and `Ctrl+X`.

Now that `sshd` is set up, we need to create our 2FA codes. In your terminal, run:

```
google-authenticator
```

First, it will ask you about time-based tokens. Say `y` to this question:

```
Do you want authentication tokens to be time-based: y
```

You will now see a big QR code on your screen; scan it with your Google Authenticator app to add it. You will also see your secret and a few backup codes looking like this:

```
Your new secret key is: IRG2TALMR5U2LK5VQ5AQIG3HA4
Your verification code is 282436
Your emergency scratch codes are:
  29778030
  86888537
  50553659
  41403052
  82649596
```

{% hint style="info" %}
NOTE

Record the emergency scratch codes somewhere safe in case you need to log into the machine but don't have your 2FA app handy. Without the app, you will no longer be able to SSH into the machine!
{% endhint %}

Finally, it will ask you for some more parameters; the recommended defaults are as follows:

```
Do you want me to update your "/<username>/.google_authenticator" file: y
Do you want to disallow multiple uses of the same authentication token: y
By default... < long story about time skew > ... Do you want to do so: n
Do you want to enable rate-limiting: y
```

Once you're done, restart `sshd` so it grabs the new settings:

```
sudo systemctl restart sshd
```

When you try to SSH into your server with your SSH keys, you should now also be asked for a 2FA verification code, but not for a password.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://prime-stake-pool.gitbook.io/node-setup-guide/server-setup-basics/how-to-setup-your-cloud-server-securely/enable-2fa.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.