Secure SSH with Google Authenticator Two-Factor Authentication on CentOS 7

On this page

  1. Links

SSH access is always critical and you might want to find ways to improve the security of your SSH access. In this article we will see how we can secure SSH with simple two factor authentication by using Google Authenticator. Before using it you have to integrate the SSH daemon on your server with Google Authenticator one time password protocol TOTP and another restriction is that you must have your android phone with you all the time or at least the time you want SSH access. This tutorials is written for CentOS 7.

First of all we will install the open source Google Authenticator PAM module by executing the following command on the shell.

 yum install google-authenticator

This command will install Google authenticator on you Centos 7 Server. The next step is to get the verification code. It's a very simple command to get the verification code and scratch codes by just answering simple questions of server which he will ask you. You can do that step by running the following command:

 google-authenticator

You will get an output like the following screenshot which is being displayed to help you step by step as this step is very important and crucial. Write down the emergency scratch codes somewhere safe, they can only be used one time each, and they're intended for use if you lose your phone.

Now download Google authenticator application on your Mobile phone, the app exists for Android and Iphone. Well I have Android so I will download it from Google Play Store where I searched it out just by typing "google authenticator".

The next step is to change some files which we will start by first changing /etc/pam.d/sshd. Add the following line to the bottom of line:

 auth required pam_google_authenticator.so

Change the next file which is /etc/ssh/sshd_config. Add the following line in the file and if its already placed then change the parameter to "yes":

 ChallengeResponseAuthentication yes

Now restart the service of ssh by the following command:

 service sshd restart

Last step is to test the service by connecting with SSH to the server to see if it will require verification code. You can see the following screenshot which shows the verification code that keeps on changing time after time and you have to login with it:

So we have successfully configured SSH authentication based on Google Authenticator. Now your SSH is secure and no brute attack can invade your server unless someone has your verification code which will require access to your phone as well.

Share this page:

Suggested articles

11 Comment(s)

Add comment

Comments

By: anabela
Reply  

google and security in one sentence...something is wrong here.

By: Denver
Reply  

What provides the google-authenticator package? I get this:

[[email protected] ~]# yum install google-authenticator

Loaded plugins: fastestmirror, langpacks

base                                                     | 3.6 kB     00:00     

elrepo                                                   | 2.9 kB     00:00     

epel/x86_64/metalink                                     |  14 kB     00:00     

epel-spotify                                             | 2.9 kB     00:00     

extras                                                   | 3.4 kB     00:00     

google-chrome                                            |  951 B     00:00     

nux-dextop                                               | 2.9 kB     00:00     

updates                                                  | 3.4 kB     00:00     

Loading mirror speeds from cached hostfile

 * base: repos.dfw.quadranet.com

 * elrepo: elrepo.org

 * epel: mirrors.tummy.com

 * extras: mirrors.centarra.com

 * nux-dextop: mirror.li.nux.ro

 * updates: mirrors.umflint.edu

No package google-authenticator available.

Error: Nothing to do

 

 

By: Fred.
Reply  

Same here Denver.Did you find a solution?

By: simon
Reply  

I can't find the package in the standard or EPEL Centos 7 repo. please advise...

By: Simon
Reply  

need to add the EPEL (Extra Packages for Enterprise Linux) repo.

sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

 

By: mutwakel yassen
Reply  

cd /opt/ wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2 tar -xvzf libpam-google-authenticator-1.0-source.tar.bz2 cd libpam-google-authenticator-1.0 make make installNow, run the Google authenticator on your server and answer each of the questions with yes$ google-authenticatorDo you want authentication tokens to be time-based (y/n) y https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DWYD4YCGEE5N4M3LA Your new secret key is: WYD4YCGEE5N4M3LA Your verification code is 188127 Your emergency scratch codes are: 60086389 28918071 88502143 60873576 90892542 Do you want me to update your "/root/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y

Open the URL given after answering the first question and scan the QR code using the Google Authenticator application on your smartphone. That’s all. A new verification code will be generated every 30 seconds.

Now you will need to enable Google authenticator for SSH logins. Open PAM’s configuration file

vi /etc/pam.d/sshd

And add the following line at the top

auth required pam_google_authenticator.so

By: mutwakel yassen
Reply  

Open the SSH configuration file and ensure that the ‘ChallengeResponseAuthentication‘ line is set to yes

 

ChallengeResponseAuthentication yes

 

Save the changes and restart the SSH service:

service sshd restart

 

Now, every time you try to SSH into your server you will be prompted to enter the verification code displayed in your Google Authenticator application.

login as: Verification code: Password:

 

Hope this will help some one

 

 

 

 

By: salder
Reply  

I know this is against a bunch of different 'golden rules' but... you can just download and use the Fedora 23 rpm.  I have been running it since whomever decided to remove it from EPEL for EL7.

 

Currently the following works on a fully-patched CentOS 7 and RHEL7.2 systems.

google-authenticator-1.0-0.gita096a62.fc23.5.x86_64.rpm

By: Benjamin Chambers
Reply  

One missing dependency I had to pull in:

yum -y install pam-devel

Thanks for the write-up.

By: Tim
Reply  

This is not working in centos 6.8

By: Willem
Reply  

Hey, try this command:

chcon -t ssh_home_t /root/.google_authenticator To get the permissions right for CentOS