How To Setup Two-Factor Authentication (2FA) for SSH on CentOS 6 using Google Authenticator

Published on: Mon, Sep 21, 2015 at 7:08 pm EST
CentOS Linux Guides Security

After changing your SSH port, configuring port knocking, and making other tweaks for SSH security, there is perhaps one more way that you can protect your server; using two-factor authentication. With two factor authentication (2FA), a person would require your mobile device to access your SSH server. This can be useful to protect against all brute forcing attacks, and unauthorized login attempts.

In this tutorial, I will explain how to configure 2FA on your CentOS 6 server with SSH and Google Authenticator.

Step 1: Installing the required packages

The package "google-authenticator" exists in the default repository for CentOS. Run the following command as the root user to install it.

yum install pam pam-devel google-authenticator

Now that you have this installed on your server, you'll need to install the "Google Authenticator" app on your mobile device.

After you install that, keep your mobile device readily available, because we still need to configure 2FA.

Step 2: Configuring the software

First, login via SSH as the user you wish to secure.

Execute the following command:

 google-authenticator

Hit "y" at the first message, where it asks you if you would like to update the ./google_authenticator file. When it prompts you to disallow multiple uses, hit "y" again so that another user can't use your code. For the rest of the options, hit "y", as they all improve the effectiveness of this software.

Great! Make sure you copy down the secret key, and the emergency scratch codes on a piece of paper.

Now, we need to configure PAM to use 2FA.

For this article, I'll be using nano as the preferred text editor. Execute the following command as root.

nano /etc/pam.d/sshd

Add the following line to the top of the file.

 auth required pam_google_authenticator.so 

Save, then close the editor.

Next, configure the SSH daemon to use 2FA.

nano /etc/ssh/sshd_config

Find the line that resembles "ChallengeResponseAuthentication no", and change "no" to "yes".

Restart the SSH server:

service sshd restart

Step 3: Configuring Google Authenticator on your mobile device

To configure this software, we need to add the secret key into it. Find the "manually enter key" option, and tap that. Input the secret key you wrote down earlier, and save. A code will now pop up, and will refresh every so often. You'll need this to logon to the SSH server from now on.

Conclusion

The purpose of two factor authentication is to improve the security of your server. Since no one else will have access to your mobile device, they won't be able to figure out the code to login to your server.

Other versions

Want to contribute ?

You could earn up to $300 by adding new articles