{{tag>[security centos6.5 2fa]}}
=====Google Authenticator for SSH=====
... on CentOS 6.5
====Install required packages====
  yum install gcc gcc++ pam-devel subversion python-devel git

====Clone the source code====
  mkdir /root/google-authenticator; cd /root/google-authenticator
  git clone https://code.google.com/p/google-authenticator/

====Compile and install pam library====
  cd google-authenticator/libpam/ 
  make && make install

====Configure SSHd====
<code>vi /etc/ssh/sshd_config

PubkeyAuthentication no
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes 

# GSSAPI options
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no</code>
====Configure PAM SSHd====
  vi /etc/pam.d/sshd
  
  #add at top
  auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
  auth   required        pam_google_authenticator.so nullok secret=/home/${USER}/.ssh/.google_authenticator
  
====Edit /etc/security/access-local.conf====
Don't use Google Authenticator for local subnet 192.168.1.0/24
<code>
vi /etc/security/access-local.conf
+ : ALL : 192.168.1.0/24
+ : ALL : LOCAL
- : ALL : ALL
</code>             

====Configure Google Authenticator for user====
Read and answer the yes/no questions. After setup, the user will have a .google_authenticator file in the home directory. 

The command will also create a URL and/or a QR code. With Google Authenticator on your mobile phone, capture the QR. It will create a new account automatically.

  google-authenticator
    
  mv /home/${USER}/.google_authenticator /home/${USER}/.ssh/.google_authenticator

  restorecon -Rv /home/${USER}
====Restart SSHD====
  service sshd restart