How to Enable 2 Factor authentication in Centos 7/RHEL 7 ?
CentOS is an Enterprise-class Linux Freeware Distribution which is used wordlwide. To avoide brut force attack on SSH, we can add 2 Factor authentication to increase its security. Their are multiple 2 factor authentication Centos Support, but for this tutorial we will be using google auth.
Installation
Step1:
First you need to install google authentication application in your mobile or in browser.
Step 2:
Install epl repository in centos.
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Step 3:
Once the repository is installed, next step is to install google authenticator.
sudo yum install google-authenticator
Configuration
Step 1:
Configure google authenticator, run below command
google-authenticator
It will ask multiple questions, answer all question with 'yes', These questions are for security, it recomended to enable all security policies.
Step 2:
Configure SSH. To configure ssh open /etc/pam.d/sshd and add belwo line at bottom and save it.
auth required pam_google_authenticator.so
There is an option to add nullok at the end of that line. This is an option if you have users who have yet to run the google-authenticator command and need to log into the server, via ssh. I prefer to not use that option and make sure everyone has run the command before configuring SSH to require 2FA.
Step 3:
Configure SSHD file. Open /etc/ssh/sshd_config and replace below line
ChallengeResponseAuthentication no
with
ChallengeResponseAuthentication yes
Now restart sshd services and you are good to go..
systemctl restart sshd