Enabling 2 Factor Auth on Centos 7 / RHEL 7

Centos 7 or RHEL 7 is a industry favorite for Linux Server OS’s.  As with any environment one cannot depend on One Factor Authentication.  We have seen this trend with many services we commonly need secured.  (banking, email, etc) So why not leverage this good security practice in our datacenter or cloud environment?

You can make this all happen using Google Authenticator or any 2 Factor Auth system of your choice.  Let’s see how we can put this together for ourselves on Centos 7.

1 – Install Google-Authenticator using your favorite package manager (yum,etc)

2 – Run the Google-Authenticator wizard, after which you’ll be provided with a QR code and a Secret Key, Verification Code, and Emergency Scratch codes.

3 – Scan the bar code or enter it manually into the Google Auth app on your phone.

4 – Choose where you’d like to enable 2 Factor.  With Centos 7 you can choose SSH, Login, and others.



SSH 2 Factor

1 – Use Vi to edit /etc/pam.d/sshd

Add “auth required pam_google_authenticator.so” to the end of this file, save and exit.

2 – Edit /etc/ssh/sshd_config

Change “ChallengeResponseAuthentication no” to “ChallengeResponseAuthentication yes”, save and exit file.

3 – Restart ssh “sudo systemctl restart sshd”

Gnome Login 2 Factor

1 – Add “auth required pam_google_authenticator.so nullok” to the end of /etc/pam.d/gdm-password

Direct Login Screen

1 – Add “auth required pam_google_authenticator.so nullok” to the end of /etc/pam.d/login