2_factor_ssh_authentication_with_google_authenticator
Table of Contents
Google Authenticator for SSH
… on CentOS 6.5
Install required packages
yum install gcc gcc++ pam-devel subversion python-devel git
Clone the source code
mkdir /root/google-authenticator; cd /root/google-authenticator git clone https://code.google.com/p/google-authenticator/
Compile and install pam library
cd google-authenticator/libpam/ make && make install
Configure SSHd
vi /etc/ssh/sshd_config PubkeyAuthentication no PasswordAuthentication yes ChallengeResponseAuthentication yes UsePAM yes # GSSAPI options GSSAPIAuthentication no GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no
Configure PAM SSHd
vi /etc/pam.d/sshd #add at top auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf auth required pam_google_authenticator.so nullok secret=/home/${USER}/.ssh/.google_authenticator
Edit /etc/security/access-local.conf
Don't use Google Authenticator for local subnet 192.168.1.0/24
vi /etc/security/access-local.conf + : ALL : 192.168.1.0/24 + : ALL : LOCAL - : ALL : ALL
Configure Google Authenticator for user
Read and answer the yes/no questions. After setup, the user will have a .google_authenticator file in the home directory.
The command will also create a URL and/or a QR code. With Google Authenticator on your mobile phone, capture the QR. It will create a new account automatically.
google-authenticator mv /home/${USER}/.google_authenticator /home/${USER}/.ssh/.google_authenticator
restorecon -Rv /home/${USER}
Restart SSHD
service sshd restart
2_factor_ssh_authentication_with_google_authenticator.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1