We will be looking at how to secure SSH with two factor authentication using Google Authenticator on CentOS / RHEL 8/7. Two-factor authentication is a process which compose of two stages to verify the identity of an entity accessing services in a network. It adds a second layer of security to the standard username and password authentication.
SSH is a widely used protocol for accessing remote Linux/Unix servers and pushing files between servers. If there is no proper security policy governing access over ssh, a successful brute-force attack can cause losses to the company. This guide will discuss how Two factor (2FA) Authentication for SSH on CentOS / RHEL 8/7 can be configured.
The second layer of security we’ll use for this exercise is Google Authenticator. We will use the Google Authenticator app available for Android (in the Play Store) and iOS (in iTunes) to generate authentication codes.
What is required?
- Server running RHEL / CentOS 8/7
- A phone running Android or iOS
- Google Authenticator application
- A configured SSH connection
- Your availability to
setuptwo factor authentication
Step 1: Install EPEL Repository
You need to have EPEL repository installed and working so that dependencies can be installed. Use our guide below to add EPEL repository to your RHEL / CentOS 8 system.
Step 2: Install and configure required packages
We need to install the Google Authenticator PAM module from
$ sudo yum search google-authenticator Updating Subscription Management repositories. Updating Subscription Management repositories. Last metadata expiration check: 0:01:53 ago on Sat 29 Dec 2018 10:09:22 AM EAT. ========================================================== Name Matched: oogle-authenticator ========================================================== google-authenticator.x86_64 : One-time pass-code support using open standards
Once confirmed, proceed to install it with
qrencode using dnf or yum package manager.
sudo dnf -y install google-authenticator qrencode
The Google Authenticator package contains a plug-able authentication module (PAM) which allows login using one-time pass-codes conforming to the open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth).
More details about installed package can be checked with:
$ rpm -qi google-authenticator
Name : google-authenticator
Version : 1.04
Release : 1.el7
Install Date: Sat 29 Dec 2018 10:12:50 AM EAT
Group : Unspecified
Size : 98922
License : ASL 2.0
Signature : RSA/SHA256, Thu 17 Aug 2017 03:27:00 AM EAT, Key ID 6a2faea2352c64e5
Source RPM : google-authenticator-1.04-1.el7.src.rpm
Build Date : Thu 17 Aug 2017 03:13:19 AM EAT
Build Host : buildhw-06.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager : Fedora Project
Vendor : Fedora Project
URL : https://github.com/google/google-authenticator-libpam/
Summary : One-time pass-code support using open standards
Step 3: Configuring SSH Server
After installation, you need to make SSH use the Google Authenticator PAM module. To do this, open the file
/etc/pam.d/sshd and add the following line at the end.
$ sudo vi /etc/pam.d/sshd
# Add to end
auth required pam_google_authenticator.so
$ sudo vi /etc/ssh/sshd_config
yes to enable challenge-response passwords.
Step 4: Configuring authentication
With Google Authenticator, configuring two-factor authentication is a walk in the park. This needs to be done for each user account to be able to login.
In a terminal, run the google-authenticator command.
This will ask you a series of questions, here is a recommended configuration:
- Use “time-based” time-based tokens: yes
- Update the
- Disallow multiple uses of the same authentication token: yes
- Increase the original generation time limit: no
- Enable rate-limiting: yes
You’ll be given secret key, verification code and emergency scratch codes to be used if you don’t have access to your phone. Write them down on paper or notepad and keep them safe.
Your new secret key is: DKM6MJWQVGZHLTWJ4G45XXXXXX
Your verification code is 869XXX
Your emergency scratch codes are:
Install and configure Google Authenticator
Follow prompts to finish the setup then choose to Scan barcode or enter Private Key.
Scan the barcode printed in your screen during setup or add your secret key to add SSH account.
You should see account added to Google Authenticator and
Test SSH two factor Authentication
Try to initiate a new SSH to the server.
$ ssh rhel8
Password: <Enter SSH Password>
Verification code: <Enter Verificarion code on Google Authenticator>
Activate the web console with: systemctl enable --now cockpit.socket
Last failed login: Sat Dec 29 11:51:46 EAT 2018 from 192.168.122.1 on ssh:notty
Last login: Sat Dec 29 11:48:31 2018
[[email protected] ~]$
Your SSH two factor authentication has been successfully configured on RHEL / CentOS 8.
Other articles of interest: