diff --git a/initializers/2fa/configs/sshd-2fa-config b/initializers/2fa/configs/sshd-2fa-config
new file mode 100644
index 0000000..152b912
--- /dev/null
+++ b/initializers/2fa/configs/sshd-2fa-config
@@ -0,0 +1,11 @@
+# KNEL SSH 2FA Configuration Additions
+# These settings enable two-factor authentication with SSH keys
+
+# Enable challenge-response authentication for 2FA
+ChallengeResponseAuthentication yes
+
+# Enable PAM
+UsePAM yes
+
+# Require both publickey AND keyboard-interactive (2FA)
+AuthenticationMethods publickey,keyboard-interactive
diff --git a/initializers/2fa/configs/sshd-pam b/initializers/2fa/configs/sshd-pam
new file mode 100644
index 0000000..0f30b8e
--- /dev/null
+++ b/initializers/2fa/configs/sshd-pam
@@ -0,0 +1,32 @@
+# PAM configuration for SSH with 2FA
+# Standard Un*x authentication
+@include common-auth
+
+# Google Authenticator 2FA
+auth required pam_google_authenticator.so nullok
+
+# Standard Un*x authorization
+@include common-account
+
+# SELinux needs to be the first session rule
+session required pam_selinux.so close
+session required pam_loginuid.so
+
+# Standard Un*x session setup and teardown
+@include common-session
+
+# Print the message of the day upon successful login
+session optional pam_motd.so motd=/run/motd.dynamic
+session optional pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login
+session optional pam_mail.so standard noenv
+
+# Set up user limits from /etc/security/limits.conf
+session required pam_limits.so
+
+# SELinux needs to intervene at login time
+session required pam_selinux.so open
+
+# Standard Un*x password updating
+@include common-password