The problem with PAM based 2FA:
  • PAM does not get called when the SSH daemon does key based authentication. So your 2FA there only works with password authentication. This might be something you want but maybe not.
  • A PAM module based solution to 2FA is harder to implement
The solution: Poor man’s 2FA!

It is possible to add the ForceCommand directive to your sshd_config. Like the name suggests it simply runs a command after authentication and before the shell is spawned. This is a good spot to add an extra check, say another factor for authentication.

The code:
#!/bin/bash
trap "echo "I'm sorry Dave. I'm afraid I can't do that."; sleep 1 ; kill -9 $PPID ; exit 1" 2 20
code=`od -a -A n /dev/urandom | head -2 | tr -d ' ' | tr -d 'n' | sed 's/[^a-zA-Z0-9]//g' | awk '{print substr($0,1,5)}'`
echo -e "Subject:$code\nFrom:root@server <root@server.com>\n2FA code in subject" | sendmail phone_number@carrier.com
read input
if [ $code = $input ];
then
    `awk -F: '($1 == $LOGNAME) { print $7 }' /etc/passwd`
else
kill -9 $PPID
fi

That’s it really, save this to an executable file, replace the obvious variables and ForceCommand its ass.