Using Authy for SSH Access on Linux — How to Fix “Could Not Generate Token” During PAM Integration

by
PinLinkedIn

SSH is great. It lets you log into your Linux machine from anywhere. But what if you want to make it more secure? Two-factor authentication (2FA) adds an extra layer of protection. One cool way to do that is using Authy along with PAM, the Pluggable Authentication Module. Sounds fancy, right? But it’s not that hard.

So you set things up… and then bam — you see an error: “Could not generate token.” What’s going on? Don’t panic. We’re going to fix it, step by step. And we’ll have fun doing it!

TLDR:

  • Authy can be used for 2FA for your SSH logins using PAM.
  • If you get a “Could not generate token” error, it’s usually due to missing environment variables, bad permissions, or a misbehaving PAM config.
  • We’ll walk you through installing, configuring, and fixing this error the fun and easy way.

What Is Authy and Why Use It?

Authy is a 2FA app. It helps protect your logins. You get a code on your phone, and you use that after your usual SSH password. Even if someone has your password, they can’t get in without your phone. Magic!

You can integrate Authy into your Linux login process using PAM. That means it becomes part of how Linux checks who you are when you log in via SSH. Sounds cool? It is.

Installing the Authy PAM Module

Authy doesn’t have a native PAM module anymore managed publicly by them. But good news! There are community tools, and you can also use the older authy-pam module for test purposes. Please note: use with caution in production environments.

  1. First, download the PAM Authy module from GitHub or a trusted mirror.
  2. Follow the installation instructions — usually it involves running a script like install.sh.
  3. Register your system with Authy using their API key. You’ll get this from your Authy developer dashboard.

Done? Nice. Now let’s hook it into SSH.

Hooking Authy into PAM

To start using Authy for SSH, you’ll edit the PAM config for SSH. This is usually at:

/etc/pam.d/sshd

Add this line at the top:

auth required pam_authy.so

Then, restart SSH:

sudo systemctl restart sshd

Now when you SSH in, Authy will ask you for a token from your phone. Sweet!

Oops — “Could Not Generate Token”

Suddenly, Authy isn’t working. You’re being told: “Could not generate token”. What gives?

This error generally means the PAM module can’t contact the Authy API. It can’t authenticate you with Authy. There are several reasons this can happen:

  • Authy ID not found for the user trying to log in
  • Missing environment variables (like API key)
  • Incorrect permissions on config or log files
  • No internet connectivity or firewall blocking API access

Let’s Fix It One Step at a Time

1. Check Your API Key

The Authy PAM module needs your Authy API key to talk to the service. Make sure this key is correct and accessible by PAM. Usually it’s placed in:

/etc/authy/api.key

Check file permissions:

sudo chmod 600 /etc/authy/api.key
sudo chown root:root /etc/authy/api.key

Restart SSH after any changes.

2. Ensure Your Users Have Authy IDs

Each Linux user that logs in must be registered with Authy. This means they need an Authy ID in:

/etc/authy/users/username

If the file is missing — you guessed it — Authy won’t know what to do. Create it using:

echo <AUTHY_ID> > /etc/authy/users/username

Replace <AUTHY_ID> with the actual one given by Authy API after registering the user programmatically or through your portal.

3. Check Internet Access

Authy needs to reach out to an API server. If your SSH server has no internet access or DNS issues, you won’t get a token.

  • Try curl https://api.authy.com
  • Check /var/log/auth.log for errors

If you see timeouts, check your /etc/resolv.conf and any firewall rules.

4. Log Everything!

To find out more, increase logging. In /etc/pam.d/sshd, modify the line to:

auth required pam_authy.so debug

This outputs debug info to /var/log/auth.log or /var/log/secure, depending on your distro.

Look for lines about missing IDs or permission issues. They’re usually pretty clear.

5. Ensure PAM’s Environment Loads Correctly

Some PAM modules don’t pass environment variables by default. If Authy is expecting environment variables to be set (like a proxy or certificate location), PAM may not provide them.

Try setting them in /etc/environment or a script that sets them system-wide on boot.

Still Stuck?

If you’ve tried everything and still get the error, try running pam_authy_test from the command line to manually test the module:

sudo /usr/sbin/pam_authy_test username

This gives more info and often points right at the issue. Be sure to replace “username” with the actual one.

Tips to Avoid Future Problems

  • Keep your Authy PAM module up to date (if you’re using a custom version).
  • Rotate API keys safely and test each one before switching live systems.
  • Monitor your logs regularly with tools like Fail2Ban or syslog watchers.
  • Keep a backup SSH access method (like a VPN tunnel or hardware console) in case 2FA breaks.

Bonus: Friendly Script to Register New Users

If you’re adding lots of users, here’s a simple shell function:

#!/bin/bash
read -p "Enter username: " username
read -p "Enter Authy ID: " authyid
sudo mkdir -p /etc/authy/users
echo $authyid | sudo tee /etc/authy/users/$username
echo "User $username registered with Authy!"

Wrap Up

Adding Authy to your SSH login boosts security a lot. PAM integration makes it seamless. If you ever see that “Could not generate token” message, you now know what to check.

Just remember:

  • Make sure the authentication is correctly set up
  • Confirm each user has an Authy ID linked
  • Check logs and permissions if things go wrong

Now your SSH is not just secure — it’s Authy-secure!

Happy securing!

PinLinkedIn