I used the Google authenticator for quite some time now and i must say i like it. As showed in my earlier article on how to install the Google authenticator app it is pretty straightforward to install the second authentication factor.
But is it also easy to uninstall the feature? Yes it is.
Step 1:
Make sure -in case something goes wrong- that you (temporarily) have alternative ways to access your server. Think of console access or even (watch carefully) telnet access.
Step 2:
Disable ChallengeResponseAuthentication within your SSH configuration:
user@server:~$ vi /etc/ssh/sshd_config
Change the value from yes to no
ChallengeResponseAuthentication no
Save the changes.
Step 3:
Change your /etc/pam.d/ssh configuration:
user@server:~$ vi /etc/pam.d/sshd
Remove or comment-out the following line:
auth required pam_google_authenticator.so
Save the changes.
Step 4:
Remove the .google_authenticator file from each of the home directories of users that you used the Google authenticator app for.
user@server:~$ rm .google_authenticator
Step 5:
Restart the SSH daemon.
user@server:~$ sudo /etc/ssh/ssh restart
That should be it!
Step 5:
`user@server:~$ sudo /etc/ssh/ssh restart`
In the /etc/ssh directory there is no ssh binary to use, and if I recall correctly, there hasn’t ever been?
I’ve always restarted SSH via: `sudo service ssh restart` (for Ubuntu). Posting a heads up, just in case others have run into this as well.
Cheers!
If I want to temporarily disable SSH 2FA (in order to transfer some accounts using the cpanel transfer tool) will using this method allow me to switch it back on when I am done without having to “resync” my authenticator app?
In other words, if I turn it off using the method above can I then turn it back on without having to go through the whole google authenticator setup process again or will my old authenticator app continue to provide valid codes once I turn it back on?