This article explains how to add Google Authenticator to your centos 7 system to enable double authentication for ssh to improve the security of ssh services when logging in with a password.

1. Install Google Authenticator on Linux

First we need to enable the epel repository

1

yum install epel-release

Install the relevant dependency libraries.

1

yum install pam-devel

Install google authenticator.

1
2
3
4

# View version information
yum list google-authenticator
# install
yum install google-authenticator

After the installation is complete, initialize the configuration by running the following command directly to start the initial configuration.

1

google-authenticator

The QR code generated during the initialization process needs to be scanned by the mobile client’s google authenticator app. Then it can be added to a dynamic password that changes once every 30s.

There is also a generated emergency scratch codes remember to save carefully, this is used for emergency login when the phone is lost.

Other options according to their needs to choose, do not know, then the default choice y can be.

2. Enable google authentication for ssh

1

echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd

Modify the ssh configuration file /etc/ssh/sshd_config and adjust the following parameters to yes.

1

ChallengeResponseAuthentication yes

Finally, we just restart the ssh service.

1

systemctl restart sshd

3. Effect

After reboot, if you need to use the password again for ssh login, you need to enter the Google Authentication Code before you can enter the password again.

1
2

Verification code:
Password: