Secure SSH with Two-Factor Authentication on CentOS 7

 

 

 

 

Multi-factor authentication (MFA) is a technique that enables users to access a website or application by proving their identity with multiple factors of authentication: information, ownership, and identity. Authentication with two factors (2FA) provides an extra layer of protection for your online accounts. Additional credentials are required in addition to usernames and passwords to gain access to accounts, and obtaining those credentials requires access to personal information.

 

 

 

 

 

Let’s take a look at how to set up 2FA authentication on a CentOS system.

 

 

 

 

 

 

Step 1: Configure VPSie cloud server

 

 

 

 

 

  1. Sign in to your system or register a newly created one by logging in to your VPSie account
  2. Connect by SSH using the credentials we emailed you.
  3. Once you have logged into your CentOS instance, run these commands to update your system.
sudo yum update

 

 

 

 

 

 

Step 2: Install the Google-Authenticator

 

 

 

 

 

All mobile phones are compatible with Google-Authenticator. For Android users, the app can be downloaded from Google Play whereas the IOS app (for iPhone users) can be downloaded from the App Store.

 

 

 

 

 

 

Step 3: Installing Google PAM

 

 

 

 

 

Start by installing EPEL repository as follows,

 

 

yum install epel-release

 

 

 

Now install the Google PAM,

 

 

yum install google-authenticator

 

 

 

 

 

 

Step 4: Configuring Google PAM

 

 

 

 

 

On completion of the installation, you will be able to run a script to create keys for users you wish to add a second factor to, but these keys are generated on a user-by-user basis, which means users who want OTP authentication will have to run the script to get their own key.

 

 

 

 

The initialization script should be run by executing the following command,

 

 

 

 

# google-authenticator

 

 

 

Once the command has been run, you’ll be prompted with a few questions. Authentication tokens should be based on time in the first question. A “Y” answer is recommended. You will then see a large QR code on your screen, and you will need to scan it with your phone so your profile will be added automatically. Also Keep a record of your “secret key,” “verification code,” and “emergency scratch code.”

 

 

 

 

 

 

 

Step 5: Configuring SSH

 

 

 

 

Google PAM is configured and ready to use. SSH needs to be configured now.

 

 

 

Use the following command to open the SSH configuration file,

 

 


# nano /etc/pam.d/sshd

 

 

 

 

Place the following line at the very end of the file,



auth required pam_google_authenticator.so nullok

 

 

 

 

Set up SSH for this authentication. by opening the “sshd_config” file as follows:

 

 

# nano /etc/ssh/sshd_config

 

 

 

You should find “ChallengeResponseAuthentication” and make it “yes”. Below is an example,



 

ChallengeResponseAuthentication yes

 

 

 

 

Your SSH service must be restarted,



systemctl restart sshd




The next time you sign in, you will be asked to enter a “Verification-code”, which will appear in your phone’s Google-Authenticator app.








That’s it, Thanks for reading! I hope it was informative for you! 

 

 

 

 


 

 

Try VPSie for free today!