DEV Community

Faruk
Faruk

Posted on • Originally published at Medium

Why I Enable Multi-Factor Authentication (MFA) for SSH on Linux Servers | by Faruk Ahmed | Aug, 2025

Member-only story

Why I Enable Multi-Factor Authentication (MFA) for SSH on Linux Servers

--

2

Share

Strong passwords are dead. Even SSH keys, while powerful, can be stolen if a laptop is compromised or an agent is hijacked. That’s why on critical Linux servers, I go one step further: I enable MFA (multi-factor authentication) for SSH access.

It’s one of the simplest ways to stop attackers cold — even if they somehow get your key.

🚨 The Problem With Relying on Keys Alone

  • If your private key is copied (via malware or stolen laptop), attackers can log in without raising alarms.
  • SSH agent forwarding can be hijacked if a jump host is compromised.
  • Lost or forgotten keys create a rotation nightmare.

SSH keys are strong — but not invincible. That’s why I add a second layer of protection.

🔐 Step 1: Install Google Authenticator or Authy PAM Module

On Ubuntu/Debian:

apt install libpam-google-authenticator -y
Enter fullscreen mode Exit fullscreen mode

On RHEL/CentOS:

yum install google-authenticator -y
Enter fullscreen mode Exit fullscreen mode

Each user runs:

google-authenticator
Enter fullscreen mode Exit fullscreen mode

👉 Read Full Blog on Medium Here

Top comments (0)