Set Up Multi-Factor Authentication for SSH on Amazon/Oracle Linux/CentOS/Fedora
Step 1 — Installing Google’s PAM
$ sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ sudo yum install google-authenticator
Run the initialization app.
Once you finish this setup, if you want to back up your secret key, you can copy the ~/.google-authenticator file to a trusted location. From there, you can deploy it on additional systems or redeploy it after a backup.
Step 2 — Configuring OpenSSH and Making SSH Aware of MFA
Edit /etc/pam.d/sshdAppend the last line to the bottom of the file:
# Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare auth required pam_google_authenticator.so nullok
The nullok word at the end of the last line tells the PAM that this authentication method is optional. This allows users without a OATH-TOTP token to still log in using their SSH key. Once all users have an OATH-TOTP token, you can remove nullok from this line to make MFA mandatory.
Find the line auth substack password-auth at the top of the file. Comment it out by adding a # character as the first character on the line. This tells PAM not to prompt for a password.
Edit /etc/ssh/sshd_configLook for ChallengeResponseAuthentication lines, change it from no to yes
Append the following the line to the bottom of the file:
AuthenticationMethods publickey,password publickey,keyboard-interactive
This line tells SSH we need a SSH key and either a password or a verification code.
sudo systemctl restart sshd.service
Test and it should work.