Introduction
Traditional login credentials on a Linux system involves a username and password. However, a lot of services are adding two-factor authentication in order to be more secure, so not only something you know (the password) but also something you have (an authenticator). This can be easily done using the Google Authenticator, an app you can download on any modern smartphone.
You can add the same capability to your Linux system so that the login process will ask you for your password and the token.
Installation
The following root commands will get the Google Authenticator library and instal it on your system, along with NTP to ensure the clock is kept in sync, which is crucial for this to work:
yum install ntp
systemctl enable ntpd
systemctl start ntpd
yum install pam-devel
wget https://github.com/google/google-authenticator/archive/master.zip
unzip master.zip
cd google*
./bootstrap.sh
./configure
make
make install
Configuration
First, you need to add Google Authenticator to the list of modules available for the login process as root:
echo "auth required /usr/local/lib/security/pam_google_authenticator.so nullok" >> /etc/pam.d/sshd
echo "ChallengeResponseAuthentication yes" >> /etc/ssh/sshd_config
systemctl reload sshd
Then, you should run the command line utility to register your phone as whichever user you want to use two-factor authentication with:
google-authenticator
That’s it! From now on you will have to enter the current token in order to login as that user.