How to setup google two-factor authentication (2FA) on RPM-based Linux.

We are going to walk you through the process to setup SSH two-factor authentication  (2FA) and on RPM-based Linux operating system. We have tested steps works on RHEL/CentOS/RockyLinux. You will need to install Google Authenticator which generate time-based one-time passcode (OTP) on your device to be used for two factor authentication. If you’re really concerned about unauthorized access to your computer, you should definitely add an additional layer of authentication which may help to protect your servers from internal or external threats. 

Here, we will use the Google PAM module to enable 2FA so that users can login using time-base-one-time password (TOTP).

Before you begain –

Warning – Before adding your system into two-factor authentication (2FA), you must know that without generated codes, you will not be able to gain access to you system. Every time you want to log in, you should have either smartphone or emergency codes.
 . Linux OS installed on system
 Authenticator application should be installed on your mobile device such as Google Authenticator or Authy.
. Time should be sync.
. Take configuration file backup
Google Authentication PAM module is not available of RPM-based distro, so add the EPEL repository as below.

Enable EPEL Repository

# yum install epel-release


Install Google Authentication module on a RPM-based Linux system with following command.

# dnf install google-authenticator qrencode-libs -y


Once the package is installed login with the user you want to protect with the two-factor authentication. Run following command to begin google-authenticator configuration
$ google-authenticator
This will asks bunch of questions, most of the questions, answer YES unless you require something else other than the default. Keep the above QR code and other codes in a safe location. You might need them if you can’t access Google Authenticator on your phone or lose it.

Install Google Authenticator

Download and install Google Authenticator before enabling and configuring two factor authentication from “Play Store” or “App Store” based on your device.
Next, add an account scanning QR code of the key which was generated at earlier step. you should start getting OTP once you add the account to login on you Linux box.

Configure /etc/pam.d/sshd module

Configure SSH to use Google Authenticator, open file with your favorite editor /etc/pam.d/sshd and add  the following line. With the nullok option on the line, SSH will not require an OTP code for users on the machine that are not configured for 2FA. 
Note: Always take Config file backup before doing changes in the files.
#vi /etc/pam.d/sshd
auth       required nullok
auth    required     no_warn try_first_pass

Configure /etc/ssh/sshd_config

# vi /etc/ssh/sshd_config
Search line “ChallengeResponseAuthentication no” and change it to “yes” or if the entry is already there and commented with #, remove it and restarted the SSHD service.

# systemctl restart sshd.serivice

Testing 2FA

Let us test our setup, open terminal and SSH into the Linux host. Open Google Authenticator app on your device and system will prompt for the verification code as shown below:

What if you loose the code or device

In each user’s home directory Google Authenticator settings are saved in a form of hidden file as .google_authenticator. If you open a file, the very first line of the file is a secret key, type it into your authenticator app and you are done. 

That’s it. In this post, we have seen how easily can be setup 2FA Google Authenticator on RPM-based Linux. Please share it with others and use comment box below to raise a query if any. Also follow us on tecluesdotcom Facebook Official Page.


Leave a Comment