Implementing Google Authentication on CentOS 7.x


Introduction

Traditional login credentials on a Linux system involves a username and password. However, a lot of services are adding two-factor authentication in order to be more secure, so not only something you know (the password) but also something you have (an authenticator). This can be easily done using the Google Authenticator, an app you can download on any modern smartphone.

You can add the same capability to your Linux system so that the login process will ask you for your password and the token.

Installation

The following root commands will get the Google Authenticator library and instal it on your system, along with NTP to ensure the clock is kept in sync, which is crucial for this to work:

<bash>
yum install ntp
systemctl enable ntpd
systemctl start ntpd
yum install pam-devel
wget https://github.com/google/google-authenticator/archive/master.zip
unzip master.zip
cd google*
./bootstrap.sh
./configure
make
make install

Configuration

First, you need to add Google Authenticator to the list of modules available for the login process as root:

<bash>
echo "auth       required     /usr/local/lib/security/pam_google_authenticator.so nullok" >> /etc/pam.d/sshd
echo "ChallengeResponseAuthentication yes" >> /etc/ssh/sshd_config
systemctl reload sshd

Then, you should run the command line utility to register your phone as whichever user you want to use two-factor authentication with:

<bash>
google-authenticator

That's it! From now on you will have to enter the current token in order to login as that user.



© 2008-2017 Patrick Lambert - All resources on this site are provided under the MIT License - You can contact me at: dendory@live.ca