In order to protect your SSH against hacks, the most basic you can do is to change the port, but that is never enough. We know the basics to be disable root logins, change port, enable pubkey authentication, IP based blocking and so on. However, one shoe never fits all. If you keep changing computers, it is very difficult to setup pubkey authentication on all computers, specially if you are not using your personal computer to login.

That is where the TOTP comes in. You still have to carry around a mobile phone, but I think we all do now a days.

Install google authenticator:

sudo apt install libpam-google-authenticator

and enable it for SSH:

sudo nano /etc/pam.d/sshd

Append to the bottom:

auth required

And edit the ssh config file:

sudo nano /etc/ssh/sshd_config

to enable it in SSH config as well as change the SSH port

Port 15491 # change this to something random, preferably 5 digits
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes # CHANGE THIS TO YES

Now prepare your phone with your favorite TOTP app, like google authenticator and run this command in shell:


And answer as following:

Make tokens “time-base”": **yes
Update the .google_authenticator file: **yes
Disallow multiple uses: **yes
Increase the original generation time limit: **no
Enable rate-limiting: **yes**

And then just restart ssh for the changes to take effect.

sudo systemctl restart sshd

Now use terminal on linux/mac or putty on windows to login. Do note that BitviseSSH does not work properly with this for some reason…