I added two-factor authentication on my Jolla, to require username/token/password for connecting thru SSH to the device.

Since I was asked how I did this, I post this instruction page

Firstly, I compiled the 'pam-google-authenticator' code from github to be able to use the pam_google_authenticator.so library to accomplish this. The resulting library, and google-athenticator binary (to generate the secret key on device). It is published on my merproject page, so you will need to add this repository.

As you can guess from above, PAM is used for authenticating this way, so a few changes to sshd_config and pam files are needed (described below).

Now, the instructions, they are quite straight-forward, so I dont think they will cause much confusion

First, on device:

become root:
Add my repository:
Install google-authenticator and PAM libs
Create Google Authenticator, secret keys for user nemo
Follow on-screen-instructions:

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200...%26issuer%3Dxx
Your new secret key is: 2C3IHASRPY3PHHGAAF5
Your verification code is 312471
Your emergency scratch codes are:
12345670
12345671
12345672
12345673
12345674

Do you want me to update your "/home/nemo/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Take a note of the secret key 2C3IHASRPY3PHHGAAF5
This is what you need to enter in the Google Authenticator application of your choise

Now, change the configuration files for sshd
become root:
add (or change) lines:
ChallengeResponseAuthentication yes
UsePAM yes

add (or change) lines:
auth required /usr/lib/security/pam_google_authenticator.so

To test connection with two-factor authentication, restart sshd and terminate connection:
(will exit you current SSH connection)

Now, on laptop:

Anser login questions

Verification code: <Google Authenticator code>
Password: <password>

Last login: Sun Apr 26 14:01:11 2015 from x.x.x.x
,---
| SailfishOS 1.1.4.28 (Äijänpäivänjärvi) (armv7hl)
'---
[nemo@Jolla ~]$

Done!

Reads straight-forward.
Just missed another devel-su before nano /etc/ssh/sshd_config

Added. Thanks