How to add a 2FA to your SSH session

This guide demonstrates how to set up 2FA using DUO – This is just an example, you may use any other 2FA software.

On DUO website #

Step 1 #

Please create an account inside – free tier allows you to create up to 10 users.

Step 2 #

For IOS/Android: Download from App Store/Google Play app named Duo Mobile

Step 3 #

Open Duo Mobile, and press + symbol located in top right corner and scan the QR code from Duo website:


Step 4 #

Inside the DUO dashboard, create a new user which you are using to login into your server:


Step 5 #

Now add your phone:


Step 6

Follow the instruction on the screen to activate your phone:



Step 7 #

Generate your QR code:



Step 8 #

Send activation instructions via SMS:




Step 9 #

Now open your text app on your phone and click the activation link. DUO will open it and activate your app.


Step 10 #

Create a new Application that you want to protect.


Step 11 #

Type “UNIX App” and click on it.



Step 12 #

Now copy all the keys into your notepad


Step 13 #

Scroll down to the settings and fill it up


On your server #

Step 14 #

Make sure you’ve installed Development Tools:

$ sudo yum group install "Development Tools"


Step 15 #

Download the DUO source and unpack it:

$ wget
$ tar xfz duo_unix-latest.tar.gz
$ cd duo_unix-*


Step 16 #

Now compile source and install app:

$ ./configure --with-pam --prefix=/usr && make && sudo make install


Step 17 #

Edit now /etc/duo/login_duo.conf file and fill with the copied codes from your notepad.


Step 18 #

Test now your DUO. If you received 2FA request to your phone, and it’s working, you can proceed to next step

$ /usr/sbin/login_duo


Step 19 #

Add DUO layer to your SSH config:

$ echo “ForceCommand /usr/sbin/login_duo” >> /etc/ssh/sshd_config


Step 20 #

Now copy our integrated key & secret key & host to /etc/login_duo.conf


Step 21 #

Restart your SSH daemon:


$ service sshd restart


$ service ssh restart