Status: This OS is no longer supported
This article, “How to secure your SSH using two-step authentication on CentOS 6,” covers a version of CentOS that reached end of life (EOL). The developing company no longer supports it. As such, we no longer maintain this guide. If you are currently operating a server running CentOS 6, we highly recommend contacting RoseHosting’s fully managed support. They can upgrade or migrate you to a supported version of AlmaLinux.

In today’s blog article, we will explain how to install Google Authenticator from source and configure SSH for two-factor authentication.
Installation Steps
First of all, update your CentOS virtual server
yum -y update
Next, install the ‘pam-devel‘ package, which allows you to set authentication policies without having to recompile programs that handle authentication.
yum -y install pam-devel
Ensure that the ntpd installed and running because the TOTP security tokens are time sensitive
yum -y install ntp /etc/init.d/ntpd start chkconfig ntpd on
Download and unpack the Google Authenticator package
cd /opt/ wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2 tar -xvzf libpam-google-authenticator-1.0-source.tar.bz2 cd libpam-google-authenticator-1.0
Compile and install the Google Authenticator module
make make install
Now, run the Google Authenticator on your server and answer each of the questions
google-authenticator Do you want authentication tokens to be time-based (y/n) y https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@YOURHOSTNAME%3Fsecret%3DWYD4YCGEE5N4M3LA Your new secret key is: WYD4YCGEE5N4M3LA Your verification code is 188127 Your emergency scratch codes are: 60086389 28918071 88502143 60873576 90892542 Do you want me to update your "/root/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
Open the URL given after answering the first question and scan the QR code using the Google Authenticator application on your smartphone. That’s all. The system generates a new verification code every 30 seconds.
Now you will need to enable Google Authenticator for SSH logins. Open PAM’s configuration file
vi /etc/pam.d/sshd
And add the following line at the top.
auth required pam_google_authenticator.so
ChallengeResponseAuthentication yes
Save the changes and restart the SSH service:
service sshd restart
login as: Verification code: Password:
Of course, if you are one of our Linux VPS Hosting customers, you don’t have to do any of this; ask our admins, sit back, and relax. Our admins will set this up for you immediately. For updates, you can refer to Secure SSH using two-factor authentication on Ubuntu 16.04.
PS. If you like this post, please share it with your friends or leave a reply below. Thanks.
First of all, I must say that your tutorials are always the best and to the point. Really enjoy them!
I am facing some difficulties when I try to configure google auth the SSH keys instead of plain text passwords. Is there some settings in ….pam.d/ssh that I need to configure in order to get this to work, order perhaps? OR is it just the ssh configuration file?
thanks
You can check: https://wiki.archlinux.org/index.php/SSH_keys#Two-factor_authentication_and_public_keys
Please note, the AuthenticationMethods option will not work on CentOS 6 because it comes with OpenSSH 5.X and the AuthenticationMethods option is new to OpenSSH 6.2.
thank you man that was very very help-full keep the good work