Major service providers like Gmail, Dropbox, GitHub, Amazon Web Services encourage their users to use 2 step authentication as it is one of the safest way to protect users login. I’m using this password add-on feature to SSH to my gateway server from WAN so that I could access other hosts in that network and I think that it’s by far the most safest solution.
First of all, you’ll need these packages to be installed on the Linux machine:
- pam-devel (for CentOS / RHEL)
- libpam0g-dev (for Debian)
yum install pam-devel gcc make autoconf automake wget unzip libtool
apt-get install libpam0g-dev gcc make autoconf automake wget unzip libtool if you’re on Debian.
google-authenticator from it’s Github page via
git clone or
wget command. An example with
wget https://github.com/google/google-authenticator/archive/master.zip unzip master.zip
Compile the code
After the files are on the filesystem, we have to compile
cd google-authenticator-master/libpam/ ./bootstrap.sh ./configure make make install
make install successful output will look like this:
# make install cp pam_google_authenticator.so /lib64/security cp google-authenticator /usr/local/bin
Now we need to configure
google-authenticator, just run it and answer the questions with y/n with your preferences. I’ve answered all to yes:
# google-authenticator Do you want authentication tokens to be time-based (y/n) y Your new secret key is: RSXXXXXXXXXXXXXX Your verification code is 010101 Your emergency scratch codes are: XXXXXXXXX XXXXXXXXX XXXXXXXXX XXXXXXXXX XXXXXXXXX Do you want me to update your „/root/.google_authenticator” file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
Mobile app configuration
Open up your Google Authenticator application (doesn't matter if you're on Android or iOS), hit the advanced button (3 dots in upper right corner) and select setup account.
Now you can choose to
Scan a barcode or
Enter key provided and just enter provided
Secret key earlier.
Now we need that the system would use
google-authenticator during SSH login.
We’ll need to edit
/etc/pam.d/sshd add the following line:
auth required pam_google_authenticator.so
/etc/ssh/sshd_config file change
Restart ssh daemon
systemctl restart sshd or
/etc/init.d/ssh restart if you’re on Debian.