How to Setup Two-Factor Authentication (Google Authenticator) for SSH Logins

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.95/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Ravi Saive

I am Ravi Saive, creator of TecMint. A Computer Geek and Linux Guru who loves to share tricks and tips on Internet. Most Of My Servers runs on Open Source Platform called Linux. Follow Me: Twitter, Facebook and Google+

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

18 Responses

  1. Amit Bhatt says:

    I have configured google-authenticator on MY RHEL7 box and it’s working fine. But I want to centralize the key generation method. What I want is only root or any other user should be able to generate keys for other users and then share the key with other user.

    Can this be done?

  2. Ken says:

    Hey Ravi, good guide, however I am having an issue with root account…I set this up to run on root and normal user, it runs OK with normal user, but not with root…I get the ‘validation code’ response for regular user, but only PW prompt for root, which it will not accept, even though root is allowed for ssh….wondering if you have any ideas on how to get this to work as root?

    Ken C.

  3. Andrew says:

    Hey, just checking in before I start implementing this in my environment – will this work in conjunction with SSH-key authentication, or do I have to be using password-based authentication to take advantage of 2FA?

  4. Alex says:

    Great guide, thanks!

    Do you know how to get this working with Shell-In-A-Box? It currently just prompts for a password as normal. Or do you know of a alternative to shell-in-a-box that can be used and works well with GA?

  5. Tom Woody says:

    Getting Google authenticator configured was easy enough, but is it possible to have a Verification request presented to every login attempt (valid user or not?). If i try to login with my own account, i get presented with verification code, works great. But if i try and login with a random account say ‘johndoe’ that isn’t on my server, it doesn’t prompt for Verification. By this its possible to identify valid accounts on a machine by which ones prompt for verification. Am i missing something?

    • Richard Whitcombe says:

      If you put the:

      auth required nullok

      line AFTER the:

      @include common-auth

      in the pam.d config file then it’ll first ask for a password and ONLY if the password is correct will it then prompt for a verification code. If the user doesn’t exist or the password is incorrect it’ll perform the standard behaviour of keeping asking for a password so no valid username details can be derived.

      All this change does is tell it to ask after the password is authenticated rather than before.

      That should solve the problem.

  6. Ken says:

    This doesn’t really live up to two-factor. Since the Google factor can be produced with something I know (the secret key and the Account or just the QR code) and a commodity something I have or using GAuth, this seems to be just a second something I know factor. Two-factor usually means two different kinds of factors.

  7. Fabian Santiago says:

    Nope, doesn’t work for me either and I did follow all steps correctly. It just keeps asking for the password and then fails on it. Never asks for verification code……

  8. Greg says:

    Nice one

  9. kash says:

    I am trying to login with root user and I am getting access denied when I try to give the code that is given on my mobile and also it is not prompting for verification code

    Followed all the steps mentioned above.

    Dont understand where am I going wrong. plz help.

    • Ravi Saive says:

      Do you correctly added your secret key on the phone? or try to run again “google-authenticator” command and follow the steps thereon. Make sure you add correct secret key to get this work.

      • Trent says:

        Add another one here for “this NOT working.”

        It keeps asking for verification code and password over and over.

        I feel a new fail blog post coming on.

      • Trent says:

        And this is why it is failing. In the sshd log there is:

        “Auth sshd(pam_google_authenticator)[11838]Failed to read /root/.google_authenticator”

        The file is there and I even made it readable globally with chmod 777

        • Ravi Saive says:

          If SELinux enabled in your system, then you need to use proper configuration. The default SELinux rule doesn’t allow the SSH daemon to write or update the google_authenticator file. To do run the following command to fix it.

          # chcon -t ssh_home_t -R /root/.google_authenticator
  10. Stuart says:

    This looks very promising as it uses the authentication in addition instead of replacing the password. Would love to hear anybodys suggested security implications.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *