From Notes_Wiki

Home > CentOS > CentOS 6.x > Security tools > google authenticator

We can use google-authenticator for setting up to two factor authentication on Linux systems. To setup authentication follow these steps:

  1. Download latest version using 'git clone' or from
  2. Compile using 'make' and install using 'make install'
  3. Additionally copy file to /lib/security using 'cp /lib/security'
  4. Add line ' auth required' at the top of file '/etc/pam.d/sshd'
  5. Use 'yum -y install qrencode'
  6. Type 'google-authenticator' for user for whom you want to setup two factor authentication and scan the qrcode using Google authenticator andriod app. Andriod app can be installed from
  7. Ensure that SELinux is either disabled or set proper labels on pam module binaries that got installed.
  8. Edit '/etc/ssh/sshd_config' and set 'ChallengeResponseAuthentication yes'
  9. Restart sshd service
  10. Save generated "One time passwords" at secure location
  11. Test by using ssh to given account of given machine

Disable google-authenticator for trusted machines

To disable google-authenticator for trusted machines use:

  1. Edit '/etc/pam.d/sshd' such that it has following starting lines:
    auth [success=1 default=ignore] accessfile=/etc/security/access-local.conf
    auth required
  2. Now create file '/etc/security/access-local.conf</tt?' with contents similar to
    + : ALL :
    + : ALL : LOCAL
    - : ALL : ALL
  3. Then use 'service sshd restart'
  4. Then try to ssh from trusted machine to verify that password is still being prompted (unless key based authentication is used) but google authenticator verfication code is not prompted.

Home > CentOS > CentOS 6.x > Security tools > google authenticator