Security & Hardening Scripts

Automating Two-Factor Authentication Setup on Ubuntu SSH

2fa ubuntu script ssh 2fa automation bash ssh config

Naked SSH is a Ticking Time Bomb

A glowing red padlock shattering into pieces on a dark futuristic terminal screen, cyber security concept, 8k resolution, photorealistic --ar 16:9

Passwords leak. SSH keys get copied. Relying on a single line of defense to protect your servers is basically leaving the front door wide open. You already use two-factor authentication for your email and bank. Why aren't you using it for root access? Adding an extra layer of defense isn't paranoid. It's mandatory. Actually, setting up Google Authenticator for SSH makes brute-force attacks practically impossible. But doing it manually on a dozen servers? Absolute nightmare.

Why We Automate the Headache Away

A sleek robotic arm typing rapidly on a mechanical keyboard, neon green terminal code reflecting in the background, cinematic lighting, cyberpunk style --ar 16:9

Nobody has time to edit config files by hand. Not when you're managing multiple environments. Here's the thing. A solid 2fa ubuntu script does all the heavy lifting in seconds. No typos. No missed steps. You just run the script, scan the QR code, and move on with your life. This is exactly why ssh 2fa automation is standard practice for lazy, smart sysadmins. We write the logic once. The server handles the rest.

The Guts of a Bulletproof Bash Script

Macro photography of complex mechanical watch gears interwoven with glowing fiber optic cables, representing bash script automation, high contrast --ar 16:9

Let's look at what the bash ssh config actually needs to do. First, it grabs the `libpam-google-authenticator` package. Simple enough. Then it forces the generation of the secret key for the current user. The script needs to pass the right flags so it doesn't wait for human input. Because waiting defeats the whole purpose of automation. It spits out your emergency scratch codes and the setup URL. Grab those. Print them. Hide them under your mattress.

Taming the PAM Configuration

This is where things usually break. PAM. Pluggable Authentication Modules. Your script has to carefully append `auth required pam_google_authenticator.so` to `/etc/pam.d/sshd`. Do it wrong, and nobody gets in. Ever. A good script uses `sed` or `awk` to inject this line cleanly. Then it jumps over to `/etc/ssh/sshd_config` to flip `ChallengeResponseAuthentication` from no to yes. A quick restart of the SSH daemon, and the trap is set.

The Golden Rule of SSH Tinkering

Keep your current terminal session open. Seriously. Run the script, open a brand new terminal window, and try logging in. If your phone pushes the 2FA prompt and you get a shell, congratulations. You nailed it. If it rejects you, go back to your original, still-open window and fix whatever your script broke. Never close that lifeline until you verify the new setup works flawlessly. Once it does, close the door behind you.