How to Enable 2 Factor authentication in Centos 7/RHEL 7 ?

CentOS is an Enterprise-class Linux Freeware Distribution which is used wordlwide. To avoide brut force attack on SSH, we can add 2 Factor authentication to increase its security. Their are multiple 2 factor authentication Centos Support, but for this tutorial we will be using google auth. 

Installation

Step1:

First you need to install google authentication application in your mobile or in browser. 

Step 2:

Install epl repository in centos.

sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Step 3:

Once the repository is installed, next step is to install google authenticator.

sudo yum install google-authenticator

Configuration

Step 1:

Configure google authenticator, run below command

google-authenticator

It will ask multiple questions, answer all question with 'yes', These questions are for security, it recomended to enable all security policies.

Step 2:

Configure SSH. To configure ssh open /etc/pam.d/sshd and add belwo line at bottom and save it.

auth required pam_google_authenticator.so

There is an option to add nullok at the end of that line. This is an option if you have users who have yet to run the google-authenticator command and need to log into the server, via ssh. I prefer to not use that option and make sure everyone has run the command before configuring SSH to require 2FA.

Step 3:

Configure SSHD file. Open /etc/ssh/sshd_config  and replace below line

ChallengeResponseAuthentication no

with

ChallengeResponseAuthentication yes

 

Now restart sshd services and you are good to go.. 

systemctl restart sshd