1password 2fa Google Authenticator

Open your Google Account. In the navigation panel, select Security. Under “Signing in to Google,” select 2-Step Verification Get started. Follow the on-screen steps. Before you can set up 2FA on your account, you’ll need to download and install an authentication app on your device. Slack 2FA can be used with most Time-Based, One-Time Password (TOTP) applications. Here are a few options to get you started: iPhone: Google Authenticator, Duo Mobile, 1Password, Authy, Microsoft Authenticator.

1password 2 Factor Authentication
1password 2fa Google Authenticator Login
1password 2fa Google Authenticator Download
Download 2fa Authenticator

This tutorial will show you how to set up SSH two-factor authentication on CentOS/RHEL server using the well-known Google Authenticator. It will greatly improve the security of SSH service on your CentOS/RHEL server.

How Two-Factor Authentication Works

Usually you only need to enter a password or use SSH key to log in to your remote CentOS/RHEL server. Two-factor authentication (2FA) requires you to enter two pieces of information in order to login, so you will also need to enter a time-based one-time password to log in to your SSH server. This one-time password is computed using the TOTP algorithm, which is an IETF standard. These days many websites and services (Facebook, Google, Twitter, etc) offer 2FA for users to secure their accounts and it’s a good idea to also enable 2FA for your SSH server.

This tutorial will show you how to set up

Password authentication with 2FA
Public key authentication with 2FA

Note: The open-source server software we will use in this article is called google-authenticator, which is installed from the EPEL repository. Google the company does not involve in the authentication process in any shape or form. The server software and the mobile app don’t need network access.

Step 1: Install and Configure Google Authenticator on CentOS/RHEL Server

Log into your CentOS/RHEL server and run the following commands to install Google Authenticator from the EPEL (Extra Package for Enterprise Linux) repository. qrencode is used to generate QR code on the command line.

Then run the google-authenticator command to create a new secret key in the ~/.ssh/ directory.

When asked “Do you want authentication tokens to be time-based?” Answer y.

Then you will see a QR code that you need to scan using a TOTP app on your phone.

There are two apps that I recommend:

Google Authenticator is the most well-known TOTP mobile app. You can install it via Google Play or Apple app store on your mobile phone.
The Google Authenticator mobile app isn’t open-source. If you don’t trust Google, you can use FreeOTP, an open-source TOTP mobile app developed by Red Hat.

Scan the QR code with Google Authenticator or FreeOTP on your mobile phone. Note that you need to enlarge the terminal window to scan the full QR code.

The QR code represents the secret key, which is only known by your SSH server and your TOTP mobile app. Once the QR code is scanned, you can see a six-digit one-time password on your phone. By default, it changes every 30 seconds. You need to enter this one-time password into the terminal.

Now in the terminal window, you should see the emergency scratch code. It’s important that you save this information to a safe place in case you lose your phone.

Then you can enter y to answer all of the remaining questions. This will update you Google Authenticator configuration file, disable multiple uses of the same authentication token, increase the time window and enable rate-limiting to protect against brute-force login attempts.

Step 2: Configure SSH Daemon to Use Google Authenticator

Password authentication with 2FA
Public key authentication with 2FA

Password Authentication with 2FA

If you don’t use SSH key, then follow the instructions below.

Open SSH server configuration file.

Find the following two parameters in the file and make sure both of them are set to yes.

PAM stands for pluggable authentication module. It provides an easy way to plug different authentication method into your Linux system. To enable Google Authenticator with SSH, PAM and Challenge-Response authentication must be enabled.

If you want to allow the root user to use 2FA, then find the PermitRootLogin parameter and set its value to yes. It can not be PermitRootLogin no or PermitRootLogin prohibit-password.

Save and close the file. Next, edit the PAM rule file for SSH daemon.

To enable 2FA in SSH, add the following two lines.

Save and close the file. Then restart SSH daemon for the change to take effect.

From now on SSH daemon will require you to enter user password and a verification code (the one-time password generated by Google Authenticator). The following screenshot shows an SSH login session from an Ubuntu desktop to a CentOS Linux server.

Public Key Authentication with 2FA

If you use SSH key to log into SSH server, then follow the instructions below.

Open SSH server configuration file.

Find the following two parameters in the file and make sure both of them are set to yes.

If you want to allow the root user to use 2FA, then find the PermitRootLogin parameter and set its value to yes. It can not be PermitRootLogin no or PermitRootLogin prohibit-password.

Next, add the following line at the end of this file. This tells SSH daemon that the user must pass both public key authentication and challenge-response authentication.

1password 2 Factor Authentication

Save and close the file. Next, edit the PAM rule file for SSH daemon.

To enable 2FA in SSH, add the following two lines.

Also comment out the following line (Add # at the beginning) to disable password authentication.

Save and close the file. Then restart SSH daemon for the change to take effect.

From now on you need to use SSH key and Google Authenticator verification code to login.

Notes

Each user on your CentOS/RHEL server needs to run google-authenticator -s ~/.ssh/google_authenticator command and scan QR code in order to use two-factor authentication. If the user didn’t set up and tries to login, the error message “Permission denied (keyboard-interactive)” will be displayed.
Emergency Scratch Code is your backup code. If you lose your phone, you can enter one of five emergency scratch code instead of a one-time password to complete the two-step verification. These codes are for one-time use only.
If you want to change the secret key, simply log into your server and run google-authenticator -s ~/.ssh/google_authenticator command again to update the ~/.ssh/google_authenticator file.

How to Disable SSH Two Factor Authentication on CentOS/RHEL Server

Edit the PAM rule file for SSH daemon.

Comment out the following line.

Save and close the file. If you added the following line in /etc/ssh/sshd_config file,

Remove the keyboard-interactive authentication method.

Save and close the file. Then restart SSH daemon.

Wrapping Up

I hope this tutorial helped you set up SSH two factor authentication on CentOS/RHEL server. As always, if you found this post useful, then subscribe to our free newsletter to get more useful tutorials. Take care 🙂

[Total: 3 Average: 5]

A common trend I see is the rush to turn on 2FA like Google Authenticator and Authy, but do people understand why it’s so effective?

Google Authenticator and Authy are TOTP (Time-based One-time Password) 2FA.

I’m going to show you what makes TOTP 2FA so effective and why this matters.

How TOTP 2FA Works

When you turn on TOTP 2FA, you’re shown a QR code that looks like this.

A QR code is a way to transmit information to a computer from the real world or a non-connected device like your phone. Go ahead and open your phone’s camera app to scan the QR code above.

Inside that QR code contains text that looks like this.

otpauth://totp/This_is_an_Example:email@email.com?algorithm=SHA1&digits=6&issuer=Example_Website&period=30&secret=S6HZS7XT6KQ6AFSR7XEVO

Within that text, it tells the TOTP app what kind of 2FA it is, username, the secret, and the website URL. This info is added to your 2FA app, and the app generates the ever-changing 6 digit code.

The most important part of that string of text is the secret (secret=S6HZS7XT6KQ6AFSR7XEVO).

The TOTP Secret

In our example, the secret is S6HZS7XT6KQ6AFSR7XEVO.

The secret inside of TOTP 2FA is nothing more than a randomly generated password.

That secret is combined with the current time to give you the 6 digit code you see that changes every 30 seconds. Anyone who knows that secret can put it in any TOTP app and generate the same 6 digit codes as all TOTP 2FA devices go off the universal time.

Yup, it’s that simple.

What makes TOTP 2FA so effective is the randomly generated secret (aka password). If we allowed people to make their own secrets, we would have the same problem we have now with people reusing passwords (credential stuffing attacks).

The very act of not letting the user create their secret is what makes TOTP so great!

Why This Matters

This matters because not every website will ever implement TOTP 2FA or any 2FA at all.

It’s unfortunate but true.

But you don’t need to worry because you can get the benefit that TOTP 2FA supplies by merely using a password manager.

Instead of waiting for a website to implement 2FA, you can today get a password manager and use it to generate and store a random password that you use for login. As we’ve learned, what makes TOTP 2FA so special is the fact that the secret is a random password.

If you don’t trust password managers, I have a solution here that solves that.

But 2 Factors Are Better Than One!

Yes, 2 factors are better than one.

The problem is that many services and users use 2FA to solve their password reuse problems.

If your first factor is already known because of password reuse, then you don’t have 2FA anymore but instead 1FA with an extra step. It’s just like having a door with two locks but you keep the PIN code visible for the first lock on the door – you effectively have one lock protecting your door.

That’s the irony of the whole situation.

Turning on 2FA to fix your password reuse problem is not solving the actual problem. You’re applying a bandaid – TOTP 2FA – and what makes it strong is the secret which is a random password. If a TOTP 2FA app stores random passwords, then it’s nothing more than a password manager.

You’re jumping through all these hoops to ultimately end up with random passwords in a password manager. If that is the case, then why not do that from the start? Especially when a website doesn’t support 2FA, you can still do a random password from your password manager and still be just as good.

Simply giving every account it’s own random password would solve most of your “hacking” problems. To say this is not true would be like saying TOTP 2FA is not going to solve it either.

It’s Passwords All The Way Down

The secret inside of TOTP 2FA is nothing more than a random password.

Not only that, but the backup codes you’re given to turn off 2FA if you lose your device is random passwords too.

Even the secure U2F keys have a private key, which is just another type of password.

It’s passwords all the way down, and this is why passwords are here to stay. The quicker people realize this and adopt things that make this easy, like password managers, the better off they’ll be.

Why Don’t Websites Generate The Password For Users?

If the strength of TOTP 2FA comes from the fact the user never creates the secret, which is nothing more than a password.

And that password is generated by the service, then why don’t they generate the password for the user from the start?