RU EN ES

Domain and IP whois

Domains HostingHosting VPS HostingVPS / VDS SSLCertificates Company Company

VPS / VDS hosting >  Configuring two-factor authentication in SSH using Google Authenticator on Centos 6

The SSH service has the largest number of password guessing attacks, you just started your server and after a few hours you can see connection attempts from unknown ip addresses in the logs. To reduce the number of attempts, we immediately recommend changing the port number in sshd settings. Of course, you should specify a password of good complexity using letters, symbols and numbers case-sensitive.

For linux servers, as a rule, you will need to remember 2 passwords, 1 for the regular user, the second for root. If there are several servers, they usually resort to various applications that will store session settings (host, login and password), which is quite normal until the attacker gains access to your workstation. In any case, there are infected sites, software, etc. It turns out you can’t be completely sure that this data is safe and accessible only to you. There is a solution for this case. Two-factor authorization - an application on your phone is added to the login and password, which, depending on the time and unique key, generates a question and an answer in the form of numbers. After entering the login and password, you will be prompted to enter the verification code, which is accessed in the Google Authenticator application.

Install the necessary packages

yum install pam pam-devel google-authenticator 

Install the mobile application

 

Settings

By default, it is better to prohibit login from a user in the sshd settings, so if you just started setting up a new server, create a user, set a password for him and go under it:

adduser username
passwd username
su username

Run the command from under the user for whom you are setting up two-factor authentication:

google-authenticator

Press y in the first message asking you if you want to update the ./google_authenticator file. When you are prompted to prohibit reuse, press y again to prevent another user from using your code. For the remaining parameters, press “y”, since all of them increase the efficiency of this software.

Make sure you copy the secret key and emergency recovery codes on a piece of paper. Keep this information offline, because even if someone finds this information, you still need to know the host, username and password to log in.

Now we will configure PAM to apply all our settings to the SSH service, these actions already need to be done from the root user

vi /etc/pam.d/sshd

Add lines to the very beginning of the file to look like this:

#%PAM-1.0
auth required pam_unix.so no_warn try_first_pass
auth required pam_google_authenticator.so

We leave the rest of the lines that were in the file, they go below without changes. Save the file and move on to configuring the SSH service.

vi /etc/ssh/sshd_config

Find the ChallengeResponseAuthentication no "parameter, and change" no "to" yes. "Save the changes and restart the service.

service sshd restart

Now configure the application on your mobile device. Find the option "manually enter the key" and click on it. Enter the secret key you wrote down earlier and save. Now the code appears that you will need to enter in the Verification code field after entering the password.

Modifications:

  • Change input sequence:

We specifically set the login - password sequence and then the verification code. If you want to enter the code from the application first and then the password, just delete the first line so that the file looks like this:

#%PAM-1.0
auth required pam_google_authenticator.so
  • Two-factor authentication when logging in as root

For example, you want to log into the server as a regular user with a username and password, and when you enter the su command, enter the root password and enter the code from the application. Launch the ./google_authenticator app from root as you did before. Set up a mobile application with a new code and add to the file:

vi /etc/pam.d/su

to the very beginning of the line:

#%PAM-1.0
auth required pam_unix.so no_warn try_first_pass
auth required pam_google_authenticator.so

Done, you don’t need to restart the service. Now when you try to log in as root, the command will require a verification code from the application.

P.S. We recommend that you check in another ssh session to avoid errors, you will have the opportunity to return and fix.

Client Area

Log in

Forgot Password


Sign Up


Check mail:

Mail:
Pass.:

VPS Application catalog

Additional services

Knowledge base

VPS hosting

We were chosen by leading media companies with large volumes of data and high load

Calculate tariff

Domain transfer