Secure SSH Login Using Two Factor Google Authenticator

Turn on two factor authentication (2FA)

Setting complex and long passwords for root/admin/backup/operator accounts is not enough. Two factor authentication is increasingly becoming a strongly recommended way of protecting user accounts. Secure from attackers by requiring a second method of authentication in additional to the standard and password pair.

Prerequisites

You need to download Google Authentication app that generates 2-step verification codes on your phone or desktop. You shoul install Google Authentication before you install anything else on your Android device/iphone/ipad/BlackBerry/Firefox

Install Google Authentication on CentOS / Fedora linux

First, we need to install the development tools

[root@linuxviet ~]# yum -y groupinstall “Development Tools”

Next, We need the pam development package

[root@linuxviet ~]# yum -y install pam-devel

Now, lets setup ntp package that we can make sure out time is correct. Since we will be using a time based sync.

[root@linuxviet ~]# yum install ntp

[root@linuxviet ~]# systemctl enable ntpd

[root@linuxviet ~]# systemctl start ntpd

Get Google Authentication from github

[root@linuxviet ~]# git clone https://github.com/google/google-authenticator.git

Complile Google authenticator

[root@linuxviet ~]# cd google-authenticator/libpam

[root@linuxviet libpam]# ./bootstrap.sh

[root@linuxviet libpam]# ./configure

[root@linuxviet libpam]# make

[root@linuxviet libpam]# make install

Run the program and create out configure file

[root@linuxviet libpam]# google-authenticator

google authenticator command centos7

Save the backup codes listed somewhere safe. They will allow you to regain access if you lose your phone with the Authenticator app:

google authenticator emergency codes

Unless you have a good reason to, the defaults presented are sane. Just ‘y’ to continue:

google authenticator press y

Add the following line to /etc/pam.d/sshd

auth required pam_google_authenticator.so no_increment_hotp

Note: If you use HOTP (counter based as opposed to time based) then add the option no_increment_hotp to make sure the counter isn’t incremented for failed attempts.

Next, ensure that the /etc/ssh/sshd_config has the following line:

ChallengeResponseAuthentication yes

Next. Save and close the file. Restart the sshd service:

[root@linuxviet libpam]# systemctl restart sshd

Finaly.

Add a Comment

Your email address will not be published. Required fields are marked *