How to secure your SSH using two-step authentication on CentOS 6

There are several things you can do to secure and secure your SSH. One is to use Google Authenticator to creating two-factor authentication on your CentOS . Google Authenticator adds an extra layer of security by creating time-based one-time passwords (TOTP) on your smartphone so you can log in with your name and password to log into the server via SSH.

In today’s blog post, we’ll walk you through how to install Google Authenticator from source and set up SSH for two-factor authentication

First of all, update your CentOS virtual server

                      yum -y update

Then install the ‘pam-devel’ package, which allows you to set the authentication policy without recompiling the programs that handle the authentication.

                      yum -y install pam-devel

Make sure ntpd is installed and running as TOTP security tokens are time sensitive

                      yum -y install ntp
/etc/init.d/ntpd start
chkconfig ntpd on

Download and unzip the Google Authenticator package

                      cd /opt/
tar -xvzf libpam-google-authenticator-1.0-source.tar.bz2
cd libpam-google-authenticator-1.0

Compile and install the Google Authenticator module

make install

Now run Google Authenticator on your server and answer each of the questions


Do you want authentication tokens to be time-based (y/n) y|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DWYJ4YCGEE3N4M3MA
Your new secret key is: WVD4YAGEE5N9M3LA
Your verification code is 198227
Your emergency scratch codes are:

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Open the URL after answering the first question asked and scan the QR code using the Google Authenticator app on your smartphone.

That’s all! A new verification code will be generated every 30 seconds.

Now you will need to enable Google Authenticator for SSH login. Open PAM’s config file

                      vi /etc/pam.d/sshd

And add the following line at the top

                      auth       required

Open the SSH configuration file and make sure the ‘ChallengeResponseAuthentication’ line is set to yes.

                      ChallengeResponseAuthentication yes

Save your changes and restart the SSH service:

                      service sshd restart

Now, every time you try to log into your server using SSH, you will be prompted to enter the verification code displayed in the Google Authenticator app.

                      login as: 
Verification code:

How to secure your SSH using two-step authentication on CentOS 6

PS. If you liked this post, please share it with your friends on social networks using the buttons on the left side of the post, or just leave a comment below. Thank you in advance.

Related Posts