Google Two-Factor Authentication

Secure your SSH server login with Google Authenticator

  1. Floren
    Google Authenticator provides a pluggable authentication module (PAM), which will generate one-time passcodes using open standards developed by the Initiative for Open Authentication (OATH). When compiled with the qrencode development library, Google Authenticator allows you to visualize the QR Code generated directly into terminal. A mobile passcode generator application is available for all major mobile platforms.

    Install Procedure
    Install the needed libraries:
    Set the proper Selinux permissions:
    Make sure that ChallengeResponseAuthentication setting is enabled:
    Open the /etc/pam.d/sshd file with your favorite text editor and insert the following line:
    auth      required user=root secret=/var/lib/google-authenticator/${USER}
    auth      required
    Restart the sshd service:
    You will have to restart the sshd service every time you perform any changes to /etc/pam.d/sshd configuration file.

    User Token
    To generate authentication tokens, the user will login to server and run:
    The user will have to advise the server administrator, every time a new code is generated.
    Next, the server administrator will secure user's data as root:
    Once the procedure is completed, the user can start using the two-step authentication.

    Setting a SSH key will completely bypass the two-step validation process. Personally, I find this ideal. For example, in my office I have set SSH keys for every development server I work with so I don't need to enter any fancy information. Accessing the servers from a location where no SSH keys are installed will force the user to perform the two-factor validation, which makes the login process very secure.
    ehsan likes this.

Recent Updates

  1. Authentication Bypass

Recent Reviews

  1. MattW
    Set up and working perfectly. Many thanks for this guide