Running your own Linux server could be very challenging, especially if you want to keep the security of the server on a high level and to protect the personal data as much as possible. During the initial server setup, you may have generated an RSA key pair to connect to the server without using passwords, which is one of the recommended methods to improve the overall security. However, in certain cases this may not be enough, so implementing two-factor authentication should be your next step. This adds another layer of security by generating time-based one-time passwords so anyone connecting to the server will need to have access to your smartphone. In this guide, we will explain how to secure your SSH using two-step authentication on a CentOS 7 server. Install Google Authenticator on a smartphone Before you start, download and install the Google Authenticator application on your smartphone. The application is available for iOS and Android. The application provides some useful features such as automatic setup via QR code, support for multiple providers and accounts, support for time-based and one-time tokens etc. Install Google Authenticator on CentOS 7 Next step is to install the Google Authenticator application on your CentOS 7 server. First, connect to your server and install the EPEL repo if it is not already installed: Code: # yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm Once the EPEL repo is installed you can proceed and install the Google Authenticator application: Code: # yum install google-authenticator Enable two-step authentication To enable two-step authentication for your SSH service, the first thing you need to do is to create a key for the user you will be logging in with. Run the Google Authenticator application on your server to create the keys: Code: # google-authenticator The application will ask you whether the authentication tokens should be time-based or not. Since we are going to set up time-based tokens, enter y to continue. Code: Do you want authentication tokens to be time-based (y/n) y The application will generate a QR code on your screen which you need to scan with the smartphone application. Run the Google Authenticator application on your smartphone and scan the QR code. The application will generate a new secret key, verification code and emergency scratch codes too. Keep these codes in a safe place. Next, the application will ask you whether to save the key and the settings in the .google_authenticator file for your system user. Enter y to continue. Code: Do you want me to update your "/root/.google_authenticator" file? (y/n) y The next question is whether you want to disallow multiple uses of the same authentication token. Each token will be valid for 30 seconds and will expire immediately after the use. Enter y to continue. Code: Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y If you don't expect to have syncing issues between the client and the server, answer the next question with n. Code: By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens). Do you want to do so? (y/n) n Next, you can enable rate-limiting for the authentication module. This will allow you to have 3 login attempts every 30 seconds so enter y to enable this feature. Code: If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y By answering this question you are done with the Google Authenticator setup. The settings are saved in the ~/.google_authenticator file and if you want to create a backup of this file you can copy it to a safe location. Next step is to configure OpenSSH. Open the PAM configuration file for SSH using a text editor of your choice. We will be using nano: Code: # nano /etc/pam.d/sshd Scroll down to the bottom of the file and add the following line: Code: auth required pam_google_authenticator.so Another file that you need to edit is the SSH configuration file. Open the file: Code: # nano /etc/ssh/sshd_config Enable Challenge Response Authentication: Code: ChallengeResponseAuthentication yes Restart the SSH service for the changes to take effect: Code: # systemctl restart sshd.service Congratulations! You have now secured the SSH service on your server using two-step authentication. To test if the configuration is successful, start a new SSH session and try to log in to your server. Once you pass the first authentication method you will be asked to enter the verification code generated by the Google Authentication application. You will receive the code on your smartphone. Enter the verification code to log in to the server.