Temporarily turn off SSH 2FA

maestroc

Well-Known Member
Aug 23, 2012
74
1
58
cPanel Access Level
Reseller Owner
This is probably a pretty easy/stupid question for those who have dealt with it but I'm always wary of screwing around with stuff that can lock me out of a server so I will ask it anyway...

I need to temporarily turn off SSH 2FA so that I can transfer some accounts using the WHM transfer tool.

If I go into sshd_config and set this:
ChallengeResponseAuthentication no

Plus go into pam.d/sshd and comment out the line:
auth required pam_google_authenticator.so nullok

I understand that that will disable 2FA for SSH. However, if once the transfer is completed if I reverse the process and turn those back on will my old code generator on my phone continue to work as it always did or will I have to "resync" it somehow in order to get valid codes?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,262
313
Houston
Hello,

This is a pretty good idea to have implemented though essentially this is why we use SSH Keys rather than password auth, but because this isn't related to cPanel software it's more of an OS level implementation. There are a ton of tutorials on how to do this including a great one from Digital Ocean here: How To Set Up Multi-Factor Authentication for SSH on CentOS 7 | DigitalOcean
 

maestroc

Well-Known Member
Aug 23, 2012
74
1
58
cPanel Access Level
Reseller Owner
I know how to turn it on. I also know how to turn it off. I've read through all the tutorials out there about this but none of them answer the basic question I was asking...

If I temporarily turn it off and then turn it back on do I have to set up my authenticator app all over again with a new code?