Following the excellent guide from MNX Solution I’ve got two-factor auth working on my desktop.
There’s a couple of things I thought worth noting that aren’t mentioned there.
1) You’ll need the pam headers installed and they aren’t by default.
$ sudo apt-get install libpam0g-dev
Then follow the instructions as given.
2) When you edit /etc/ssh/sshd_config you’ll need to set
RSAAuthentication no PubkeyAuthentication no
to disable pub-key auth (at least for testing), since that will be tried before ChallengeResponse. For production use, enabling pub-key with a fallback to ChallengeResponse might be ideal.
