Set server up so user can log in with an ssh key or Google authenticator (won't need both).
If a user doesn't have key access setup they'll have to use Google Authenticator, they won't be able to log in with a password
The user still needs to type the password to log into cockpit
/etc/ssh/sshd_config
ChallengeResponseAuthentication yes
# Uncomment this to force google authenticator AND a public key
#AuthenticationMethods publickey,keyboard-interactive
/etc/pam.d/cockpit
# google authenticator for two-factor
auth required pam_google_authenticator.so secret=/home/${USER}/.ssh/.google_authenticator
/etc/pam.d/sshd
#Commented out to not allow passwords
#auth substack password-auth
# Use Google authenticator for login
auth required pam_google_authenticator.so nullok secret=/home/${USER}/.ssh/.google_authenticator
To setup a user with Google Authenticator make sure to use the -s option
google-authenticator -s /home/test/.ssh/.google_authenticator