Howto remove Google authenticator from SSH logins

I used the Google authenticator for quite some time now and i must say i like it. As showed in my  earlier article on how to install the Google authenticator app it is pretty straightforward to install the second authentication factor.

But is it also easy to uninstall the feature? Yes it is.

Step 1:

Make sure -in case something goes wrong- that you (temporarily) have alternative ways to access your server. Think of console access or even (watch carefully) telnet access.

Step 2:

Disable ChallengeResponseAuthentication within your SSH configuration:

user@server:~$ vi /etc/ssh/sshd_config

Change the value from yes to no

ChallengeResponseAuthentication no

Save the changes.

Step 3:

Change your /etc/pam.d/ssh configuration:

user@server:~$ vi /etc/pam.d/sshd

Remove or comment-out the following line:

auth required pam_google_authenticator.so

Save the changes.

Step 4:

Remove the .google_authenticator file from each of the home directories of users that you used the Google authenticator app for.

user@server:~$ rm .google_authenticator

Step 5:

Restart the SSH daemon.

user@server:~$ sudo /etc/ssh/ssh restart

That should be it!

2 thoughts on “Howto remove Google authenticator from SSH logins”

  1. Step 5:

    `user@server:~$ sudo /etc/ssh/ssh restart`

    In the /etc/ssh directory there is no ssh binary to use, and if I recall correctly, there hasn’t ever been?

    I’ve always restarted SSH via: `sudo service ssh restart` (for Ubuntu). Posting a heads up, just in case others have run into this as well.

    Cheers!

  2. If I want to temporarily disable SSH 2FA (in order to transfer some accounts using the cpanel transfer tool) will using this method allow me to switch it back on when I am done without having to “resync” my authenticator app?

    In other words, if I turn it off using the method above can I then turn it back on without having to go through the whole google authenticator setup process again or will my old authenticator app continue to provide valid codes once I turn it back on?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.