Setting up multi-factor authentication on Linux systems

    Chandan Singh
    By Chandan Singh

    Note : Not Recommended  for Production because of Organizational Security Policies. 

    Pluggable Authentication Modules (PAM) allow Linux to work with Google Authenticator and other OTP tools to add two-factor security to your system.

    What is MFA?


    Usually, when you sign in to an account or device, you are asked for a username and password. When you SSH into a Linux machine, you may be asked for an SSH key pair. Multi-factor authentication requires users to provide more than one piece of information to authenticate successfully to an account or Linux host. The additional information may be a one-time password (OTP) sent to your cell phone via SMS or credentials from an app like Google Authenticator, Twilio Authy, or FreeOTP.

    Pluggable Authentication Modules (PAM) are the authentication mechanism used in Linux. In this article, we use the Google PAM module to enable MFA so users can log in by using time-based one-time password (TOTP) codes.

    Testing Environment :

    Centos 7


    1.Update Your System


     $ sudo yum update



    2.Install Google Authenticator


    To install the necessary packages enable the EPEL repository, which hosts the package you’re looking for.

    $ sudo yum install epel-release



    Next, install the google-authenticator package that you’ll be using to generate keys and passwords.

      $ sudo yum install google-authenticator


    Although we are using the Google Authenticator package, the keys it generates are compatible with other authentication apps.


    4. Generate a Key


    Now that the packages have been installed, you’ll use them to generate keys. Software on client devices use these keys to generate TOTPs. To understand the difference between these passwords and the ones you already use, let’s break down the TOTP concept:

    • Time-based - The generated password will change every 30-60 seconds. This means that if an attacker tries to use brute force, they’ll almost certainly run out of time before new credentials are needed to gain access.
    • One-time - The password will be valid for a single authentication only, thus minimizing the risk of a replay attack. Even if your TOTP is intercepted upon sending it to the server, it will no longer be valid after you’ve logged in.

    The following instructions will allow you to specify a user for whom you’d like to generate a password. If you are configuring two-factor authentication for multiple users, follow these steps for each user.



    Be sure to have your phone or mobile device ready, since this is where you’ll add the password to your authenticator app. If you haven’t downloaded an authenticator app, do so before proceeding.


    Run the google-authenticator program. A prompt will appear asking you to specify whether you’d like to use time-based authentication (as opposed to one-time or counter-based). Choose “yes” by entering y at the prompt.


    You should see a QR code in your terminal:


    Using the authenticator app on your phone or mobile device, scan the code. A new entry should be added to your authenticator app in the format  username@hostname.

    You’ll also see a “secret key” below the QR code. You can also enter this secret key into the app manually, instead of scanning the QR code, to add your account.

    Record your emergency scratch codes in a secure location. These codes can be used for authentication if you lose your device, but be aware that each code is only valid once.


    You’ll be prompted to answer the following questions:

    This specifies whether the authentication settings will be set for this user. Answer y to create the file that stores these settings.



    This makes your token a true one-time password, preventing the same password from being used twice. For example, if you set this to “no,” and your password was intercepted while you logged in, someone may be able to gain entry to your server by entering it before the time expires. We strongly recommend answering y.



    This setting accounts for time syncing issues across devices. Unless you have reason to believe that your phone or device may not sync properly, answer n.



    This setting prevents attackers from using brute force to guess your token. Although the time limit should be enough to prevent most attacks, this will ensure that an attacker only has three chances per 30 seconds to guess your password. We recommend answering y.



    Before you log out, review the below configuration carefully to avoid getting locked out of your 


    Configure Authentication Settings


    The TOTP authentication methods in this guide use PAM, or Pluggable Authentication Modules. PAM integrates low-level authentication mechanisms into modules that can be configured for different applications and services. Because you’re using additional software (i.e., programs that aren’t built into the Linux distro), you’ll need to configure PAM to properly authenticate users.

    A. Open /etc/pam.d/sshd with sudo privileges, and add the following lines to the end of the file:

    $ sudo vi /etc/pam.d/sshd

           auth required no_warn try_first_pass

           auth required nullok    

    Note : Remove nullok when all the user are configured properly for MFA

    B. Edit /etc/ssh/sshd_config to include the following lines, replacing example-user with any system user for which you’d like to enable two-factor authentication. Comments (preceded by #) are included here, but should not be added to your actual configuration file:

    $ sudo vi /etc/ssh/sshd_config

    # This line already exists in the file, and should be changed from 'no' to 'yes'

     ChallengeResponseAuthentication yes


    # These lines should be added to the end of the file

           Match User linuxblogger

           AuthenticationMethods keyboard-interactive


    If you created TOTPs for multiple users, and you’d like to have them all use two-factor authentication, create additional Match User blocks for each user, duplicating the command format shown above.

    C. Restart the SSH daemon to apply these changes:

    $ sudo systemctl restart sshd

    No Test the configuration 


    After entering verification code u should able to login