NicolaiSoeborg/gist:e11b45fa408ec8abff52b7044bf12c65

## gistfile1.txt
# Install fail2ban (ratelimit auth) and google auth (MFA)
sudo apt install fail2ban libpam-google-authenticator

# Setup MFA:
google-authenticator
# I'm using: y, y, n, n, y


Add `auth required pam_google_authenticator.so` to the end of `/etc/pam.d/sshd`
Also comment out `@include common-auth` after doing the steps below.

In `/etc/ssh/sshd_config`:
 * set `ChallengeResponseAuthentication yes`
 * add `AuthenticationMethods publickey,password publickey,keyboard-interactive`

## Stuff to keep in mind

If your home-folder is encrypted (i.e. per user encrypted folders, not full disk encryption), then you need the folder to be decrypted, before trying to read `~/.google_authenticator` Or you need to move the MFA secret.

If you are rolling out the MFA on a system with multiple users, you probably want to use `auth required pam_google_authenticator.so nullok` until everyone uses MFA.
	# Install fail2ban (ratelimit auth) and google auth (MFA)
	sudo apt install fail2ban libpam-google-authenticator

	# Setup MFA:
	google-authenticator
	# I'm using: y, y, n, n, y


	Add `auth required pam_google_authenticator.so` to the end of `/etc/pam.d/sshd`
	Also comment out `@include common-auth` after doing the steps below.

	In `/etc/ssh/sshd_config`:
	* set `ChallengeResponseAuthentication yes`
	* add `AuthenticationMethods publickey,password publickey,keyboard-interactive`

	## Stuff to keep in mind

	If your home-folder is encrypted (i.e. per user encrypted folders, not full disk encryption), then you need the folder to be decrypted, before trying to read `~/.google_authenticator` Or you need to move the MFA secret.

	If you are rolling out the MFA on a system with multiple users, you probably want to use `auth required pam_google_authenticator.so nullok` until everyone uses MFA.