Secure SSH with Google Authenticator – Two-Factor Authentication – CentOS 7
This tutorial is for Centos 7 Servers.
Step 1: First we would need to add the EPEL (Extra Packages for Enterprise Linux) repo.
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
To secure your SSH login with Google Authenticator your server needs to be authenticated with Google Authenticator one time password protocol which is known as TOTP. Once this has been configured, you will need your mobile device handy every time you login in to your server.
Step 2: We will need to install the open source Google Authenticator PAM module by typing in the following command on the SSH prompt.
yum install google-authenticator
Step 3: This will now install the Google Authenticator. You will now need to get the verification code so you can set it up with your mobile device. Please enter the following command:
Step 4: You will get an output like the below. It is critical that you write these codes down somewhere safe, each code can only be used once, and they’re intended for use if you lose your phone.
Step 5: Download Google authenticator application on your Mobile phone, the app exists for Android and iPhone. I will be using iPhone for this tutorial. Just search for Google Authenticator
Step 6: Now we will be changing some config, use your favourite editor. I will be using vi. /etc/pam.d/sshd. Add the following line to the bottom of line:
auth required pam_google_authenticator.so
Step 7: Change the next file which is /etc/ssh/sshd_config. Add the following line in the file and if its already placed then change the parameter to “yes”:
Step 8: Now restart the SSH service:
service sshd restart
Step 9: Last step is to test the google authenticator. You can see the below screenshot. Open your google authenticator app when it asks for the verification code when you SSH.