How to secure your SSH using two-step authentication on CentOS 6

unnamedThere are several things you can do to secure and protect your SSH. One of them is to use Google Authenticator and create a two-factor authentication on your CentOS VPS. Google Authenticator gives you an extra layer of security by generating time based one-time passwords (TOTP) on your smartphone that you must enter along with your username and password in order to login to the server via SSH.

In today’s blog article we will explain how to install Google Authenticator from source and configure SSH for two-factor authentication.

First of all update your CentOS virtual server

yum -y update

Next, install the ‘pam-devel‘ package which allows you to set authentication policies without having to recompile programs that handle authentication.

yum -y install pam-devel

Make sure that ntpd is installed and running because the TOTP security tokens are time sensitive

yum -y install ntp
/etc/init.d/ntpd start
chkconfig ntpd on

Download and unpack the Google authenticator package

cd /opt/
tar -xvzf libpam-google-authenticator-1.0-source.tar.bz2
cd libpam-google-authenticator-1.0

Compile and install the Google authenticator module

make install

Now, run the Google authenticator on your server and answer each of the questions


Do you want authentication tokens to be time-based (y/n) y|0&cht=qr&chl=otpauth://totp/root@YOURHOSTNAME%3Fsecret%3DWYD4YCGEE5N4M3LA
Your new secret key is: WYD4YCGEE5N4M3LA
Your verification code is 188127
Your emergency scratch codes are:

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Open the URL given after answering the first question and scan the QR code using the Google Authenticator application on your smartphone. That’s all. A new verification code will be generated every 30 seconds.

Now you will need to enable Google authenticator for SSH logins. Open PAM’s configuration file

vi /etc/pam.d/sshd

And add the following line at the top

auth       required

Open the SSH configuration file and ensure that the ‘ChallengeResponseAuthentication‘ line is set to yes

ChallengeResponseAuthentication yes

Save the changes and restart the SSH service:

service sshd restart

Now, every time you try to SSH into your server you will be prompted to enter the verification code displayed in your Google Authenticator application.

login as: 
Verification code:

Of course, if you are one of our Linux VPS Hosting customers, you don’t have to do any of this, simply ask our admins, sit back and relax. Our admins will set this up for you immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

How to install OwnCloud 7 on an Ubuntu 14.04 VPS
How to install LEMP and run TT-RSS on a Fedora 20 VPS
How to replace MySQL with MariaDB on CentOS 6
  • Aman Hanjrah

    First of all, I must say that your tutorials are always the best and to the point. Really enjoy them!

    I am facing some difficulties when I try to configure google auth the SSH keys instead of plain text passwords. Is there some settings in ….pam.d/ssh that I need to configure in order to get this to work, order perhaps? OR is it just the ssh configuration file?



    thank you man that was very very help-full keep the good work