Secure SSH with Google Authenticator – Two-Factor Authentication – CentOS 7

This tutorial is for Centos 7 Servers.

 

Step 1: First we would need to add the EPEL (Extra Packages for Enterprise Linux) repo.

sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

 

To secure your SSH login with Google Authenticator your server needs to be authenticated with Google Authenticator one time password protocol which is known as TOTP. Once this has been configured, you will need your mobile device handy every time you login in to your server.

Step 2: We will need to install the open source Google Authenticator PAM module by typing in the following command on the SSH prompt.

yum install google-authenticator

secure ssh two factor authentication centos7

 

Step 3: This will now install the Google Authenticator. You will now need to get the verification code so you can set it up with your mobile device. Please enter the following command:

google-authenticator

 

Step 4: You will get an output like the below. It is critical that you write these codes down somewhere safe, each code can only be used once, and they’re intended for use if you lose your phone.

secure ssh with two factor authentication centos7 qr

 

Step 5: Download Google authenticator application on your Mobile phone, the app exists for Android and iPhone. I will be using iPhone for this tutorial. Just search for Google Authenticator

Step 6: Now we will be changing some config, use your favourite editor. I will be using vi. /etc/pam.d/sshd. Add the following line to the bottom of line:

auth required pam_google_authenticator.so

secure ssh two factor authentication centos7
Step 7: Change the next file which is /etc/ssh/sshd_config. Add the following line in the file and if its already placed then change the parameter to “yes”:

ChallengeResponseAuthentication yes

secure ssh two factor authentication centos7
Step 8: Now restart the SSH service:

service sshd restart

Step 9: Last step is to test the google authenticator. You can see the below screenshot. Open your google authenticator app when it asks for the verification code when you SSH.

secure ssh two factor authentication centos7 - Google code