If you want paranoia hardening, you can add TwoFactor SSH using Google-Authenticator. Not only would someone require your ssh-key but also a time-based verification code. Disclaimer: To help not lock yourself out while setting this up. Maintain a separate root sshd connection (worst-case scenario life-line). Add a temporary non-2fa admin/root access account Do not restart the server only restart the sshd service Double check your changes and do not foul up the context or you might lock yourself out Do not hold cPanel Inc or myself responsible or damages in result of locking yourself out Step One - Install Dependencies Depending on which operating system your using: CentOS: You'll have to compile google-authenticator to get the .so, so you'll need to google the instructions for that. However if your running Ubuntu it's as easy as: Code: sudo apt-get install libpam-google-authenticator libqrencode3 will be installed automatically and will allow you to use the camera of your phone to scan the qr-code directly from the console. Install Google-Authenticator on your mobile device, and WinAuth on your desktop if you so choose to have a backup Step Two - Edit the Configuration Files To use the module you have to edit two configuration files. Code: nano /etc/pam.d/sshd Add the following line on top of the file: Code: auth required pam_google_authenticator.so I had to use this entry, however this will enforce requirements: ssh-key and 2FA code only: Code: auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok [success=done new_authtok_reqd=done default=die] means don't ask for a password, I had to have this otherwise it wasn't asking for the verification code. "nullok" means if the user has not set up google-authenticator on their account to bypass google-authenticator. One more file to edit: Code: nano /etc/ssh/sshd_config Find and change the following line: Code: ChallengeResponseAuthentication yes Step Three - Activate the Two-Factor Authentication For a User You can activate the google-authenticator for the root user or any other user. Switch to the user who should use the two-factor authentication and type in: Code: google-authenticator You will be prompted to answer a few questions; answer the first two questions with yes (y): Do you want authentication tokens to be time-based (y/n) y Do you want me to update your "/home/USERNAME/.google_authenticator" file (y/n) y You can answer the next questions according to your needs. You can use the Google Authenticator app to scan the qr-code, or add the account using the secret key and the verification code. Do not forget to print out the emergency scratch codes and store them in a safe place! Switch back to root and restart the SSH service. If you added the two-factor authentication for the root user you can skip the next step. Code: sudo su root Finally restart the SSH service: Code: CentOS: systemctl restart sshd Ubuntu: service sshd restart Make sure you test both authentication fails and successes before closing your emergency life-line connection. Everything working as expected be sure to close your temporary admin account. Time to break out the tin foil hats! You now have a ultra secure SSH at a paranoia level. Just don't lose access to your phone.