CentOS 7 SSH 2FA Setup Guide and Detail about it

Comprehensive guide for SSH with Two-Factor Authentication on CentOS 7

Secure Shell (SSH) is a widely-used cryptographic network protocol that enables secure communication between networked devices. However, more than SSH is needed to ensure the security of your network, as it relies solely on a username and password combination for Authentication.

Two-Factor Authentication (2FA) is the Next layer of security that provides extra protection to SSH connections, preventing unauthorized access. This article will discuss SSH with Two-Factor Authentication, How to install it, its use cases, features, advantages, disadvantages, and conclusion.

What is SSH with Two-Factor Authentication?

 SSH with Two-Factor Authentication is a security mechanism that requires two forms of Authentication to gain access to a networked device. The first form of Authentication is usually a password, and the second is a one-time code generated by a mobile app or hardware token. This second factor can be something you have, like a physical token, or something you are, like a biometric factor, such as a fingerprint or facial recognition.

Let’s take a look at how to set up 2FA authentication on a CentOS system.

Step 1: Configure VPSie cloud server

1. Sign in to your system or register a newly created one by logging in to your VPSie account. 
2. Connect by SSH using the credentials we emailed you.
3. Once you have logged into your CentOS instance, run these commands to update your system.

sudo yum update

Step 2: Install the Google-Authenticator

All mobile phones are compatible with Google-Authenticator. For Android users, the app can be downloaded from Google Play whereas the IOS app (for iPhone users) can be downloaded from the App Store.

Step 3: Installing Google PAM

Start by installing EPEL repository as follows,

yum install epel-release

Now install the Google PAM,

yum install google-authenticator

Step 4: Configuring Google PAM

On completion of the installation, you will be able to run a script to create keys for users you wish to add a second factor to, but these keys are generated on a user-by-user basis, which means users who want OTP authentication will have to run the script to get their own key.

The initialization script should be run by executing the following command,

# google-authenticator

Once the command has been run, you’ll be prompted with a few questions. Authentication tokens should be based on time in the first question. A “Y” answer is recommended. You will then see a large QR code on your screen, and you will need to scan it with your phone so your profile will be added automatically. Also Keep a record of your “secret key,” “verification code,” and “emergency scratch code.”

Step 5: Configuring SSH

Google PAM is configured and ready to use. SSH needs to be configured now.

Use the following command to open the SSH configuration file,

# nano /etc/pam.d/sshd

Place the following line at the very end of the file,

auth required pam_google_authenticator.so nullok

Set up SSH for this authentication. by opening the “sshd_config” file as follows:

# nano /etc/ssh/sshd_config

You should find “ChallengeResponseAuthentication” and make it “yes”. Below is an example,

ChallengeResponseAuthentication yes

Your SSH service must be restarted,

systemctl restart sshd

The next time you sign in, you will be asked to enter a “Verification code”, which will appear in your phone’s Google Authenticator app.

Compared to other systems

SSH with Two-Factor Authentication is more secure than SSH with just a username and password. It provides an additional layer of security, making it very hard for an attacker to gain access to your network. Other systems, such as single-factor Authentication or Multi-Factor Authentication (MFA), require either one factor or multiple factors but without the unique one-time code. SSH with Two-Factor Authentication is more secure than single-factor Authentication and provides an additional layer of security compared to MFA.

Use Cases Two-Factor Authentication

SSH with Two-Factor Authentication is commonly used in organizations with remote workers or those requiring critical network resources. Some of the everyday use cases for SSH with Two-Factor Authentication include the following:

1. Remote Access: SSH with Two-Factor Authentication can securely access networked devices remotely, such as servers or workstations.
2. Cloud Computing: SSH with Two-Factor Authentication can secure connections to cloud-based infrastructure, such as virtual machines or containers.
3. Banking: Financial institutions can use SSH with Two-Factor Authentication to secure customer information or financial data access.
4.  

Features Two-Factor Authentication

 Some of the critical features of SSH with Two-Factor Authentication include the following:

1. Secure Communication: SSH with Two-Factor Authentication uses encryption to ensure that communication between networked devices is secure and cannot be intercepted by third parties.
2. Mobile App or Hardware Token: SSH with Two-Factor Authentication usually requires a mobile app or hardware token to generate the one-time code for the second factor.
3. Easy to Implement: SSH with Two-Factor Authentication is easy to implement and configure, with most SSH servers supporting 2FA out-of-the-box.

Advantages Two-Factor Authentication

 There are several advantages of SSH with Two-Factor Authentication, including:

1. Enhanced Security: SSH with Two-Factor Authentication provides an additional layer of security, making it more difficult for attackers to gain illegal access to your network.
2. Protection Against Credential Stuffing: SSH with Two-Factor Authentication protects against credential stuffing attacks, where attackers use stolen credentials to obtain access to your network.
3. Compliance Requirements: SSH with Two-Factor Authentication may be a requirement for specific industries or government regulations, such as the Payment Card Industry Data Security Standard (PCI DSS).

Disadvantages Two-Factor Authentication

 While SSH with Two-Factor Authentication is a great security mechanism, it does have some drawbacks, including:

1. Complexity: SSH with Two-Factor Authentication can be complex to implement and configure, especially in large organizations with many users.
2. User Experience: SSH with Two-Factor Authentication can be cumbersome for users who need to become more familiar with the authentication process, leading to a poor user experience.
3. Cost: SSH with Two-Factor Authentication may require additional hardware or software licenses, leading to additional charges for organizations.

Conclusion: In conclusion, SSH with Two-Factor Authentication is a highly effective security mechanism that provides additional protection for networked devices. Compared to other systems, SSH with Two-Factor Authentication is more secure and provides an extra layer of protection against unauthorized access.

The use cases for SSH with Two-Factor Authentication are widespread, ranging from remote access to critical network resources to cloud computing and banking. However, SSH with Two-Factor Authentication has disadvantages, such as complexity, user experience, and cost.

Despite these drawbacks, the benefits of SSH with Two-Factor Authentication far outweigh the disadvantages, making it a highly recommended security mechanism for any organization looking to secure its networked devices.

That’s it, Thanks for reading! I hope it was informative for you! 

What are cloud servers?