HomeTech & ProgrammingLinux CommandsSecuring SSH with PAM Authentication: A Technical Guide for System Administrators

Securing SSH with PAM Authentication: A Technical Guide for System Administrators

User smallbird242 โ€ข Feb 12, 2026
I'm setting up a new server environment and need to make sure our SSH access is as secure as possible. I've heard PAM authentication is the way to go for added layers of security beyond just keys. Can someone walk me through how to properly configure it for SSH?
#Linux Commands

1 Answers

โœ“ Best Answer

๐Ÿ›ก๏ธ Securing SSH with PAM Authentication

PAM (Pluggable Authentication Modules) provides a flexible way to authenticate users for various services, including SSH. Using PAM, you can add extra layers of security, such as two-factor authentication, without modifying the SSH daemon itself. Here's a technical guide for system administrators:

โœ… Prerequisites

  • A Linux system with SSH installed.
  • Root or sudo privileges.
  • Basic understanding of SSH and PAM configuration files.

โš™๏ธ Step 1: Install Necessary PAM Modules

Ensure you have the required PAM modules installed. For example, to use Google Authenticator for two-factor authentication, install the libpam-google-authenticator package.


sudo apt update
sudo apt install libpam-google-authenticator

โœ๏ธ Step 2: Configure PAM for SSH

Edit the SSH PAM configuration file. This is typically located at /etc/pam.d/sshd or /etc/pam.d/sshd-login.


sudo nano /etc/pam.d/sshd

Add the following line to enable Google Authenticator:


auth required pam_google_authenticator.so

Place this line before the @include common-auth line to enforce two-factor authentication before other methods.

๐Ÿ”‘ Step 3: Configure SSH Daemon

Ensure that SSH is configured to use PAM. Edit the SSH daemon configuration file (/etc/ssh/sshd_config).


sudo nano /etc/ssh/sshd_config

Make sure the following options are set:


UsePAM yes
AuthenticationMethods publickey,password keyboard-interactive

If you want to enforce two-factor authentication, remove password from AuthenticationMethods after users have set up their two-factor authentication.

๐Ÿ”‘ Step 4: Configure User Accounts

For Google Authenticator, each user needs to generate their secret key and configure their authenticator app. Run the following command as the user:


google-authenticator

Follow the prompts to set up the authenticator app. This will generate a QR code and recovery codes.

๐Ÿ”„ Step 5: Restart SSH Service

Restart the SSH service to apply the changes.


sudo systemctl restart sshd

๐Ÿงช Step 6: Test the Configuration

Attempt to SSH into the server. You should be prompted for your password and then the Google Authenticator code.

๐Ÿ’ก Benefits of Using PAM for SSH

  • Flexibility: PAM allows you to easily add or change authentication methods without modifying the SSH daemon.
  • Enhanced Security: You can implement multi-factor authentication.
  • Centralized Authentication: PAM can integrate with other authentication systems, such as LDAP or Kerberos.

โ— Troubleshooting

  • Check the system logs (/var/log/auth.log or /var/log/secure) for any PAM-related errors.
  • Ensure that the PAM modules are correctly installed and configured.
  • Verify that the SSH daemon is configured to use PAM.

By following these steps, you can significantly enhance the security of your SSH server using PAM authentication.

User
goldenkoala809

Know the answer? Login to help.