adding more security on Centos 7 with Google Authenticator
- Angelo Schalley
- Feb, 09, 2019
- Blog Posts, Linux, Networking, security
- No Comments
When you are running your own Linux server, security can be a challenge. Protection using a login and password just doesn’t cut it anymore, even using the best practice during initial server setup, where you may have generated an RSA key pair to connect to the server without using passwords, which is one of the recommended methods to improve the overall security. However, in certain cases this may not be enough, so implementing two-factor authentication should be your next step to secure your server even more. This adds another layer of security by generating a one-time passwords when connecting to your server and anybody who wants to connect with your username will need to have access to your smartphone.
Install Google Authenticator
First, connect to your server and install the EPEL repo if it is not already installed:
# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Once you have installed the EPEL repo you can go ahead and install Google Authenticator
# yum install google-authenticator
Enable Google Authenticator
# google-authenticator
The application will ask you whether the authentication tokens should be time-based or not. Since we are going to set up time-based tokens, enter y to continue.
Do you want authentication tokens to be time-based (y/n) y
The application will generate a QR code on your screen which you need to scan with the smartphone application. Run the Google Authenticator application on your smartphone and scan the QR code.
The application will generate a new secret key, verification code and emergency scratch codes too. Keep these codes in a safe place.
Next, the application will ask you whether to save the key and the settings in the .google_authenticator file for your system user. Enter y to continue.
Do you want me to update your “/root/.google_authenticator” file? (y/n) y
The next question is whether you want to disallow multiple uses of the same authentication token. Each token will be valid for 30 seconds and will expire immediately after the use. Enter y to continue.
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
If you don’t expect to have syncing issues between the client and the server, answer the next question with n.
By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with
poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens).
Do you want to do so? (y/n) n
Next, you can enable rate-limiting for the authentication module. This will allow you to have 3 login attempts every 30 seconds so enter y to enable this feature.
If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
By answering this question you are done with the Google Authenticator setup. The settings are saved in the ~/.google_authenticator file and if you want to create a backup of this file you can copy it to a safe location.
Configure openssh (SSHD)
# vi /etc/pam.d/sshd
Scroll down to the bottom of the file and add the following line:
auth required pam_google_authenticator.so
You also need to edit the SSH configuration file. Open this file:
# vi /etc/ssh/sshd_config
Enable 2-factor Challenge Response Authentication:
ChallengeResponseAuthentication yes
The above is possibly there already as “no”, so just change that to “yes” or add it in case it’s not there yet. Make sure you remove the “#” if you do.
Now, restart de SSH service daemon and you’re good to go:
# service sshd restart
or
# systemctl restart sshd.service
Well done, you now have setup 2-factor authentication on your Linux server using Google Authenticator.
TIP : Test your setup before you logout by starting a new session.