Secure SSH with Google Authenticator Two-Factor Authentication on CentOS 7

First of all we will install the open source Google Authenticator PAM module by executing the following command on the shell.

# yum install google-authenticator
# google-authenticator

The next step is to change some files which we will start by first changing /etc/pam.d/sshd. Add the following line to the top:

auth required

auth required
auth required
auth include password-auth
account required
account include password-auth
password include password-auth
# close should be the first session rule
session required close
session required
# open should only be followed by sessions to be executed in the user context
session required open env_params
session required
session optional force revoke
session include password-auth

Additional you could also add folowing line. This makes it possible to logon localy without verify code:

auth [success=1 default=ignore] accessfile=/etc/security/access-local.conf

Contect of /etc/security/access-local.conf:

# Google Authenticator can be skipped on local network
+ : ALL :
- : ALL : ALL

Change the next file which is /etc/ssh/sshd_config. Add the following line in the file and if its already placed then change the parameter to “yes”:

ChallengeResponseAuthentication yes

Now restart the service of ssh by the following command:

# service sshd restart

Comments are closed.