Secure SSH with Two-Factor Authentication on CentOS 7
Multi-factor authentication (MFA) is a technique that enables users to access a website or application by proving their identity with multiple factors of authentication: information, ownership, and identity. Authentication with two factors (2FA) provides an extra layer of protection for your online accounts. Additional credentials are required in addition to usernames and passwords to gain access to accounts, and obtaining those credentials requires access to personal information.
Let’s take a look at how to set up 2FA authentication on a CentOS system.
Step 1: Configure VPSie cloud server
- Sign in to your system or register a newly created one by logging in to your VPSie account.
- Connect by SSH using the credentials we emailed you.
- Once you have logged into your CentOS instance, run these commands to update your system.
sudo yum update
Step 2: Install the Google-Authenticator
All mobile phones are compatible with Google-Authenticator. For Android users, the app can be downloaded from Google Play whereas the IOS app (for iPhone users) can be downloaded from the App Store.
Step 3: Installing Google PAM
Start by installing EPEL repository as follows,
yum install epel-release
Now install the Google PAM,
yum install google-authenticator
Step 4: Configuring Google PAM
On completion of the installation, you will be able to run a script to create keys for users you wish to add a second factor to, but these keys are generated on a user-by-user basis, which means users who want OTP authentication will have to run the script to get their own key.
The initialization script should be run by executing the following command,
Once the command has been run, you’ll be prompted with a few questions. Authentication tokens should be based on time in the first question. A “Y” answer is recommended. You will then see a large QR code on your screen, and you will need to scan it with your phone so your profile will be added automatically. Also Keep a record of your “secret key,” “verification code,” and “emergency scratch code.”
Step 5: Configuring SSH
Google PAM is configured and ready to use. SSH needs to be configured now.
Use the following command to open the SSH configuration file,
# nano /etc/pam.d/sshd
Place the following line at the very end of the file,
auth required pam_google_authenticator.so nullok
Set up SSH for this authentication. by opening the “sshd_config” file as follows:
# nano /etc/ssh/sshd_config
You should find “ChallengeResponseAuthentication” and make it “yes”. Below is an example,
Your SSH service must be restarted,
systemctl restart sshd
The next time you sign in, you will be asked to enter a “Verification-code”, which will appear in your phone’s Google-Authenticator app.
That’s it, Thanks for reading! I hope it was informative for you!