Linux uses PAM for user authentication, so look at
/etc/pam.d/common-auth, and you'll see the default unix password authentication library
To chain authentication libraries, set the last library to sufficient and all others to required.
Before we change the configuration, be sure to keep an active session, b/c you won't be able to login if you make some mistake.
Google Authenticatior PAM Library
On debian, install it with
sudo apt-get install libpam-google-authenticator -y
And add this:
auth sufficient pam_google_authenticator.so
pam_unix.so, and change the necessity of
The config will look like this:
# /etc/pam.d/common-auth auth required pam_unix.so nullok_secure auth sufficient pam_google_authenticator.so ...
google-authenticator to generate a TOTP token url, and you can use any authenticator app or program for it(I recommend
Try to login again(you can do a login with
ssh username@localhost), it should ask for an OTP after the password.