How to set up 2Factor Authentication for SSH
First Add Extra Packages for Enterprise Linux (EPEL) repo.
NOTE: After you run the command, it will ask for permission type "y" and Enter.
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpmOutPut:
Running transaction
Preparing : 1/1
Installing : epel-release-7-12.noarch 1/1
Running scriptlet: epel-release-7-12.noarch 1/1
Verifying : epel-release-7-12.noarch 1/1
Installed:
epel-release-7-12.noarch
Complete!Next step to install PAM[Pluggable Authentication Modules].
NOTE: After you run the command, it will ask for permission type "y" and Enter.
yum install google-authenticatorOutput:
Running transaction
Preparing : 1/1
Installing : google-authenticator-1.04-1.el7.x86_64 1/1
Running scriptlet: google-authenticator-1.04-1.el7.x86_64 1/1
Verifying : google-authenticator-1.04-1.el7.x86_64 1/1
Installed:
google-authenticator-1.04-1.el7.x86_64
Complete!Now to Run and initialization Google-Authenticator.
google-authenticatorNOTE: After you run the command, it will ask some questions follow below instruction.
Do you want authentication tokens to be time-based (y/n) y
Do you want me to update your "/home/sammy/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds. In order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with
poor time synchronization, you can increase the window from its default
size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens).
Do you want to do so? (y/n) n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) yNOTE: After 1st question you will get a secret key, please keep it NOTE it will be used to Set up in mobile App.
Sample secret key
Your new secret key is: LFD2SLJ3R7CPKIC4CJAVMM63OE
Your verification code is 470491
Your emergency scratch codes are:
86717873
55870569
77629708
22797719
23075062 Now to Configuring OpenSSH
Open the sshd configuration file.
nano /etc/pam.d/sshdFind this line auth substack password-auth and comment it out.
#auth substack password-authAnd add the following content at the bottom of the file and save the file.
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
auth required pam_google_authenticator.so nullokNext, open the ssh configure file.
nano /etc/ssh/sshd_configAnd Find the line ChallengeResponseAuthentication and Comment the no line and Uncomment the yes line.
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication noAnd add the following line at the bottom of the file and save the file.
# Added by DigitalOcean build process
ClientAliveInterval 120
ClientAliveCountMax 2
AuthenticationMethods publickey,password publickey,keyboard-interactiveRestart the configuration file.
systemctl restart sshd.service Setup Google-Authenticator mobile App.
- Download Goole Authenticator in play store.
- Open APP and select the Add button.
- Select Enter a provided key option
- Enter the account name and Secret Key before you got and select Time-based.
- Click on ADD.
NOTE: While you are logging in to your server it will ask for verification code, Enter Code available in Google-Authenticator App.
CrownCloud - Get a SSD powered KVM VPS at $4.5/month!
Use the code WELCOME for 10% off!
1 GB RAM / 25 GB SSD / 1 CPU Core / 1 TB Bandwidth per month
Available Locations: LAX | MIA | ATL | FRA | AMS