Secure SSH with Two-Factor Authentication on CentOS 7

Table of Contents

Secure SSH with Two-Factor Authentication on CentOS 7

Multi-factor authentication (MFA) is a technique that enables users to access a website or application by proving their identity with multiple factors of authentication: information, ownership, and identity. Authentication with two factors (2FA) provides an extra layer of protection for your online accounts. Additional credentials are required in addition to usernames and passwords to gain access to accounts, and obtaining those credentials requires access to personal information.

Let’s take a look at how to set up 2FA authentication on a CentOS system.



Step 1: Configure VPSie cloud server


  1. Sign in to your system or register a newly created one by logging in to your VPSie account
  2. Connect by SSH using the credentials we emailed you.
  3. Once you have logged into your CentOS instance, run these commands to update your system.
sudo yum update



Step 2: Install the Google-Authenticator



All mobile phones are compatible with Google-Authenticator. For Android users, the app can be downloaded from Google Play whereas the IOS app (for iPhone users) can be downloaded from the App Store.



Step 3: Installing Google PAM



Start by installing EPEL repository as follows,


yum install epel-release



Now install the Google PAM,


yum install google-authenticator



Step 4: Configuring Google PAM


On completion of the installation, you will be able to run a script to create keys for users you wish to add a second factor to, but these keys are generated on a user-by-user basis, which means users who want OTP authentication will have to run the script to get their own key.


The initialization script should be run by executing the following command,


# google-authenticator


Once the command has been run, you’ll be prompted with a few questions. Authentication tokens should be based on time in the first question. A “Y” answer is recommended. You will then see a large QR code on your screen, and you will need to scan it with your phone so your profile will be added automatically. Also Keep a record of your “secret key,” “verification code,” and “emergency scratch code.”



Step 5: Configuring SSH


Google PAM is configured and ready to use. SSH needs to be configured now.


Use the following command to open the SSH configuration file,


# nano /etc/pam.d/sshd


Place the following line at the very end of the file,


auth required nullok


Set up SSH for this authentication. by opening the “sshd_config” file as follows:


# nano /etc/ssh/sshd_config


You should find “ChallengeResponseAuthentication” and make it “yes”. Below is an example,


ChallengeResponseAuthentication yes


Your SSH service must be restarted,


systemctl restart sshd



The next time you sign in, you will be asked to enter a “Verification-code”, which will appear in your phone’s Google-Authenticator app.



That’s it, Thanks for reading! I hope it was informative for you! 



Make a Comment
Share on
VPSie Cloud service

Unlock Your

20% Discount

The First 3 orders get 20% discount! Try Sign up on VPSie to get a chance to get the discount.