How to set up 2FA on your CentOS server
posted | about 3 minutes to read
Recently, I was looking into (casually, as an experiment) setting up two-factor authentication on CentOS 7, using Google Authenticator. All of the articles out there right now are kind of out of date, though, so I figured I’d walk through the process from an “it worked for me” perspective so that everyone has an updated reference in 2016. This is documented both through Asciinema and text-based instructions below. Hope it’s useful!
First, we’ll need a couple prerequisite packages. Go ahead and run the following commands to make sure that you’re all ready to go:
yum groupinstall "Development Tools" -y yum install pam-devel ntp -y systemctl start ntp systemctl enable ntp
Once you’ve got those packages installed, it’s time to start. First, download the latest revision of the Google Authenticator code from https://github.com/google/google-authenticator/archive/master.zip and unzip it. Go into the “libpam” folder and run the following commands:
./bootstrap.sh ./configure make && make install
This should all be completely noninteractive. Once it’s done, you’ll need to copy /usr/local/lib/security/pam_google_authenticator.so to /usr/lib64/security/pam_google_authenticator.so.
At this point, you can set up 2FA for any user that needs it by opening up a shell session as them and typing “google-authenticator”. This will bring up an interactive dialog that will generate a QR code for you (yes, in your shell session!) as well as a link that you can follow if you don’t like QR codes. It also will ask you some questions about your 2FA preferences; I answered “yes” to almost all of the questions, and would in general recommend you do the same.
Open up /etc/pam.d/sshd, and add the following line after the line “auth substack password-auth”:
auth required pam_google_authenticator.so nullok
I use the “nullok” option so that you can still have users without 2FA that will work; for example, if you have third party clients that need access to a server, they may not want to set up 2FA on their end. This is a nice compromise that allows users to make decisions about this on an individual level.
Adding this line in the place where I add it means that the system will prompt you for your authenticator code after your password, which makes logical sense to me. Really, you can put it wherever you find it most convenient, though.
Open /etc/ssh/sshd_config, and change the “ChallengeResponseAuthentication” option to “yes” (or uncomment it if it’s commented out).
Finally, run “systemctl reload sshd”, and give it a try in a separate shell session! If it works, great — you’ve got yourself a working system. This will work fine for SFTP, SSH, or SCP connections, which is really nice.
If you need to uninstall, going back into the libpam directory and typing “make uninstall” should get rid of the binaries; you’ll still need to manually revert your changes to /etc/pam.d/sshd and remove /usr/lib64/security/pam_google_authenticator.so.