sudo pacman -S libpam-google-authenticator
sudo pacman -S qrencode
sudo vim /etc/pam.d/sshd
Add to top of file below PAM-1.0 line
auth required pam_google_authenticator.so
To allow only publickey + 2fa (no password) then comment out this line
#auth include system-remote-login
sudo vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
UsePAM yes
Add to bottom of file to require publickey + 2fa
AuthenticationMethods publickey,keyboard-interactive:pam
sudo systemctl restart sshd.service
google-authenticator