Set Up Multi-Factor Authentication for SSH on Amazon/Oracle Linux/CentOS/Fedora

Step 1 — Installing Google’s PAM

$ sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

$ sudo yum install google-authenticator

Run the initialization app.

$ google-authenticator

Once you finish this setup, if you want to back up your secret key, you can copy the ~/.google-authenticator file to a trusted location. From there, you can deploy it on additional systems or redeploy it after a backup.

Step 2 — Configuring OpenSSH and Making SSH Aware of MFA

Edit /etc/pam.d/sshd

Append the last line to the bottom of the file:

# Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare auth required pam_google_authenticator.so nullok

The nullok word at the end of the last line tells the PAM that this authentication method is optional. This allows users without a OATH-TOTP token to still log in using their SSH key. Once all users have an OATH-TOTP token, you can remove nullok from this line to make MFA mandatory.

Find the line auth substack password-auth at the top of the file. Comment it out by adding a # character as the first character on the line. This tells PAM not to prompt for a password.

Edit /etc/ssh/sshd_config

Look for ChallengeResponseAuthentication lines, change it from no to yes

Append the following the line to the bottom of the file:

AuthenticationMethods publickey,password publickey,keyboard-interactive

This line tells SSH we need a SSH key and either a password or a verification code.

restart SSH.

sudo systemctl restart sshd.service

Test and it should work.