Member-only story
Why I Enable Multi-Factor Authentication (MFA) for SSH on Linux Servers
--
2
Share
Strong passwords are dead. Even SSH keys, while powerful, can be stolen if a laptop is compromised or an agent is hijacked. That’s why on critical Linux servers, I go one step further: I enable MFA (multi-factor authentication) for SSH access.
It’s one of the simplest ways to stop attackers cold — even if they somehow get your key.
🚨 The Problem With Relying on Keys Alone
- If your private key is copied (via malware or stolen laptop), attackers can log in without raising alarms.
- SSH agent forwarding can be hijacked if a jump host is compromised.
- Lost or forgotten keys create a rotation nightmare.
SSH keys are strong — but not invincible. That’s why I add a second layer of protection.
🔐 Step 1: Install Google Authenticator or Authy PAM Module
On Ubuntu/Debian:
apt install libpam-google-authenticator -y
On RHEL/CentOS:
yum install google-authenticator -y
Each user runs:
google-authenticator
Top comments (0)