Install two step auth

Da Helpedia.


Step One: Install NTP

We need to keep time synchronized otherwise we will have major timing issues with the token. Run the following as root on the target system…

yum install ntp

Then set it to start automatically on server restart, sync the time and start the NTP daemon…

chkconfig ntpd on; ntpdate; /etc/init.d/ntpd start

Step Two: Install Google-Authentication PAM

Easy way

cd /tmp 
rpm -Uvh epel-release-6*.rpm
yum install google-authenticator

go to Step 3

Hard Way New

cd /tmp
bunzip2 libpam-google-authenticator-1.0-source.tar.bz2
tar xf libpam-google-authenticator-1.0-source.tar
cd libpam-google-authenticator-1.0
make install

Hard Way OLD

You will need to have EPEL repository enabled, so let’s get to installing our supporting frameworks and tools.

yum --enablerepo=epel install gcc gcc++ pam-devel subversion python-devel git

Now let’s make a directory for the authenticator files to work from…

mkdir /root/google-authenticator; cd /root/google-authenticator

And download Google Authenticator…

git clone

You will need to now switch into the directory to build it, this will most likely be a folder, on my system it was /root/google-authenticator/google-authenticator/libpam/

cd google-authenticator/libpam/

Then build it:

make && make install

If all goes well in the build you will have the new PAM module on your server.

Step Three: Setup PAM to use Google Authentication

Now we need to setup PAM for SSH to use the new module (use nano, use vi, vim… whatever you want really):

vi /etc/pam.d/sshd

Add the line:

auth required

Save the file.

Now edit the sshd_config file:

vi /etc/ssh/sshd_config

Uncomment the line:

ChallengeResponseAuthentication yes

Comment out:

#ChallengeResponseAuthentication no

Make sure that UsePAM is marked yes:

UsePAM yes

Now the next step is wholly at your discretion, you can fully disable PubkeyAuthentication or not. It is up to you, the administrator but personally I recommend continuing use of pubkey for trusted systems and Google Authenticator for untrusted systems or networks.

If you wish to do so, change PubkeyAuthentication to no and save the file.

Now, start a second SSH session because if something goes wrong, you can revert your changes to go back and fix it. This is your only warning! You will need a KVM if you made a mistake above or a control panel like Virtualmin to correct if you lock yourself out of SSH.

Restart your SSH daemon:

service sshd restart



You will see something like (shortened)…{linktogoogle}
Your new secret key is: {YOUR KEY}
Your verification code is: {YOUR CODE}
Your emergency scratch codes are:

You will answer each of the questions as best you can, I said yes to everything except increasing the window size for the code time.

Save the Emergency Scratch Codes somewhere you can find them, these are one-time use codes in the event your phone is unavailable. Not kidding here, save, print, something, anything, just save them.

In your browser go to the URL that you see in the screen, it will show you a QR Code you can scan on your iPhone, Android or Blackberry using the Google Authenticator application on your device.

If you haven’t installed the application yet, check your phone’s market or online store for Google Authenticator and install it; then start the application, create a new token on the phone and select Time Based.

For Account type your SSH line like normal (eg. root@hostname.tld or root@IP) and input your Secret Key into the Key field.

You can scan the barcode from the URL to make that all easier of course but best to know both ways.

Now, start a third SSH session and connect like normal to your server, you should be prompted for the one time code if you are not using pubkey along with your normal password, if you have pubkey enabled, you’ll go straight in as normal.

Each user whom connects via SSH will need to have their own token created, you will run google-authenticator under the respective user to get the codes and information for that particular user and the like, you only need to run authenticator and setup their token (phones) to get them setup.

Congratulations, you now have 2-factor authentication running for your server for SSH services!

Note: Google Authenticator and key based authentication are mutually exclusive, it’s one or the other essentially in authentication so a system with the key will not prompt whereas a system without will prompt your Google Authentication one-time password and password.


Il tutto funziona solo con SELINUX disabilitato. Per SELINUX occorre modificare i permessi con chcon

chcon -t ssh_home_t -R /root/.google_authenticator
Strumenti personali