Securing SSH with MFA via Google Authenticator - cfloquetprojects/homelab GitHub Wiki

Ensure you have a properly updated/patched Centos 7 minimal host.

Let's make sure we have the correct repo to install google-authenticator from:

$ sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Adding MFA to SSH on CentOS isn't as hard as I expected, and began with me installing the google-authenticator package.

Note: if you are using an Ubuntu host you can install google-authenticator using apt install -y libpam-google-authenticator

[cfloquet@centos7 ~]$ sudo yum -y install google-authenticator
[cfloquet@centos7 ~]$ google-authenticator

Now we should be able to scan a QR code allowing us to add that account to our Google Auth app on a mobile device. I answered 'y' to all security related options, which after reading mostly prevented against MITM attacks by enabling more security features.

I then had to add the following line to the bottom of the /etc/pam.d/sshd file on the centos7 host.

One liner:
$ sudo echo "auth required pam_google_authenticator.so" | sudo tee /etc/pam.d/sshd -a

Manually insert the config line:

$ vi /etc/pam.d/sshd
<..>
auth required pam_google_authenticator.so

Let's modify /etc/ssh/ssh_config to both block root login (if you haven't already) and accept the challenge response tokens that it will be asking for.

We can do this manually, or alternatively I've included some sed commands that do this work for us:

sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config 
sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config

Should you choose to do this manually, here are the changed fields:

<...>
ProhibitRootLogin no
<...>
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes
<...>

Finally I rebooted the system, and tested the SSH login from a seperate device where I was prompted for both my password and my two factor code.

This process starts in a similar manner:

$ sudo apt install libpam-google-authenticator

We need to add the line below to /etc/pam.d/sshd file (exactly like Cent7):

$ vi /etc/pam.d/sshd
<..>
auth required pam_google_authenticator.so

Let's modify /etc/ssh/ssh_config to both block root login (if you haven't already) and accept the challenge response tokens that it will be asking for.

We can do this manually, or alternatively I've included some sed commands that do this work for us:

sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/g' /etc/ssh/sshd_config 
sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config

Should you choose to do this manually, here are the changed fields:

<...>
ProhibitRootLogin no
<...>
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes
<...>

Next we need to configure our Google Authenticator module to become synced with our phone app, which we will do using a QR code. We can start this process at anytime using the google-authenticator command:

It will ask you a series of questions, make sure to use your desired authenticating device to capture and verify the QR code it prints out (I've found the QR code printed more clearly on powershell than PuTTY), and here is a recommended configuration:

Make tokens “time-base””: yes
Update the .google_authenticator file: yes
Disallow multiple uses: yes
Increase the original generation time limit: no
Enable rate-limiting: yes

Finally we should restart sshd using the command shown below:

sudo service sshd restart