Check that you have OpenSSH 6.2 or newer. In my case, I was running Debian Wheezy (stable) and therefore had to upgrade the openssh-server package to testing. That was done through AptPreferences
I created this file:
/etc/apt/apt.conf and added this line
/etc/apt/sources.list and added
deb http://ftp.ie.debian.org/debian/ testing main
for apt-get to be able to fetch testing packages.
Now I could
$ sudo apt-get update
$ apt-get -t testing install openssh-server
$ ssh -V
OpenSSH_6.2p2 Debian-6, OpenSSL 1.0.1e 11 Feb 2013
Then I set up two-factor authentication with password and Google Authenticator in PAM. Follow this guide. Make sure it’s working before moving on.
The next thing is to genereate a key on your client
ssh-keygen and use
ssh-copy-id to push the public key fingerprint to the server.
Last step is to edit
/etc/ssh/sshd_config, set the following lines are as these, and add any missing ones:
/etc/init.d/ssh restart and test from client:
$ ssh user@server
Authenticated with partial success. <- public key
Verification code: <- google-authenticator
Password: <- password
I am thinking about removing the password authentication all together to reduce any cognitive load of memorising passwords.
If you found this useful, please upvote my answer on Superuser (Stack Overflow).