Even if someone steals your private key, 2FA means they still can’t get in without the second factor.
Install
# Ubuntu/Debiansudo apt install libpam-google-authenticator
# RHEL/CentOSsudo yum install google-authenticatorConfigure
google-authenticatorPrompts to answer: time-based tokens → Yes, update ~/.google_authenticator → Yes, disallow multiple uses → Yes, increase time window → No (unless you have time sync issues), enable rate-limiting → Yes.
Scan the QR code with Google Authenticator, Authy, or any TOTP app.
PAM Configuration
sudo nano /etc/pam.d/sshdAdd at the top:
auth required pam_google_authenticator.so nulloknullok lets users without 2FA configured still log in. Remove it once all users have it set up.
Enable in sshd_config
ChallengeResponseAuthentication yesAuthenticationMethods publickey,keyboard-interactivesudo systemctl restart sshdConnections now require both your SSH key and the 2FA code.
Next Steps
Proceed to the Host-Based Authentication guide for automated server-to-server trust.