本文在树莓派、腾讯云的debian10系统上验证

1、安装Google-authenticator并执行，一路选y就可以了，手机端扫描bash生成的二维码

sudo apt-get install libpam-google-authenticator
google-authenticator

2、修改PAM

sudo nano /etc/pam.d/sshd
注释掉
#@include common-auth

在最上端增加下面内容，通过access-local文件，可以让内网的免掉双因子验证
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth optional pam_google_authenticator.so nullok
auth    required    pam_permit.so
auth    optional    pam_cap.so

3、修改access-local 文件

sudo nano /etc/security/access-local.conf
#localhost doesn't need two step verification
+ : ALL : 192.168.1.0/24
+ : ALL : LOCAL
+ : ALL : 10.0.0.0/8
+ : ALL : 172.16.0.0/12 #可以指定具体ip
#All other hosts need two step verification
- : ALL : ALL

4、修改ssh配置

sudo nano /etc/ssh/sshd_config
#修改
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
#最后增加
AuthenticationMethods publickey,keyboard-interactive

5 重启ssh

sudo service ssh restart