There are several things you can do to secure and secure your SSH. One is to use Google Authenticator to creating two-factor authentication on your CentOS . Google Authenticator adds an extra layer of security by creating time-based one-time passwords (TOTP) on your smartphone so you can log in with your name and password to log into the server via SSH.
In today’s blog post, we’ll walk you through how to install Google Authenticator from source and set up SSH for two-factor authentication …
First of all, update your CentOS virtual server
yum -y update
Then install the ‘pam-devel’ package, which allows you to set the authentication policy without recompiling the programs that handle the authentication.
yum -y install pam-devel
Make sure ntpd is installed and running as TOTP security tokens are time sensitive
yum -y install ntp
/etc/init.d/ntpd start
chkconfig ntpd on
Download and unzip the Google Authenticator package
cd /opt/
wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
tar -xvzf libpam-google-authenticator-1.0-source.tar.bz2
cd libpam-google-authenticator-1.0
Compile and install the Google Authenticator module
make
make install
Now run Google Authenticator on your server and answer each of the questions
google-authenticator Do you want authentication tokens to be time-based (y/n) y https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DWYJ4YCGEE3N4M3MA Your new secret key is: WVD4YAGEE5N9M3LA Your verification code is 198227 Your emergency scratch codes are: 40084389 29917071 85501143 61878576 90392562 Do you want me to update your "/root/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
Open the URL after answering the first question asked and scan the QR code using the Google Authenticator app on your smartphone.
That’s all! A new verification code will be generated every 30 seconds.
Now you will need to enable Google Authenticator for SSH login. Open PAM’s config file
vi /etc/pam.d/sshd
And add the following line at the top
auth required pam_google_authenticator.so
Open the SSH configuration file and make sure the ‘ChallengeResponseAuthentication’ line is set to yes.
ChallengeResponseAuthentication yes
Save your changes and restart the SSH service:
service sshd restart
Now, every time you try to log into your server using SSH, you will be prompted to enter the verification code displayed in the Google Authenticator app.
login as:
Verification code:
Password:
PS. If you liked this post, please share it with your friends on social networks using the buttons on the left side of the post, or just leave a comment below. Thank you in advance.
