Secure SSH Access with Google Authenticator: Step-by-Step Linux Setup

1. SSH Connection

Secure Shell (SSH) is an encrypted network protocol that creates a secure tunnel for client‑server communication, most commonly used for remote command‑line login on Unix‑like systems and, to a lesser extent, Windows.

SSH is highly secure, but password leakage can occur; adding an extra layer such as two‑factor authentication (e.g., knockd, S/KEY, OPIE/OPTW, Google Authenticator) mitigates this risk.

2. Google Authenticator

Google Authenticator is a time‑based one‑time password (TOTP) application implementing the algorithms defined in RFC 6238 and RFC 4226. It generates six‑ to eight‑digit codes for two‑step verification on Google services and third‑party applications. Earlier versions were open source; newer releases are proprietary.

3. Installation on Linux

3.1 System Environment

# cat /etc/redhat-release
CentOS release 6.8 (Final)

# uname -a
Linux clsn.io 4.10.5-1.el6.elrepo.x86_64 #1 SMP Wed Mar 22 14:55:33 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux

# sestatus
SELinux status:                 disabled

3.2 Install Google Authenticator

3.2.1 Install dependencies

yum -y install wget gcc make pam-devel libpng-devel

3.2.2 Install Google Authenticator PAM module

# Download source
wget https://github.com/google/google-authenticator/archive/1.02.tar.gz
tar xf 1.02.tar.gz
cd google-authenticator-1.02/libpam/
./bootstrap.sh
./configure
make && make install

After installation, /usr/local/lib/security/pam_google_authenticator.so and the executable /usr/local/bin/google-authenticator are created.

3.2.3 Copy the .so file

# cp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/

4. Configure SSH + Google Authenticator

4.1 Initialize Google Authenticator

# google-authenticator
Do you want authentication tokens to be time-based (y/n) n
# QR code generated ...
Your new secret key is: ****
Your verification code is 5****0
Your emergency scratch codes are:
  40****84
  19****95
  60****78
  83****92
  31****58
Do you want me to update your "/root/.google_authenticator" file? (y/n) y
Do you want to increase the token window from 3 to 17? (y/n) y
Enable rate‑limiting (y/n) y

4.2 Modify PAM and sshd configuration

Add the Google Authenticator module to /etc/pam.d/sshd:

# vim /etc/pam.d/sshd
auth       required     pam_google_authenticator.so

Resulting /etc/pam.d/sshd file:

#%PAM-1.0
auth       required     pam_sepermit.so
auth       required     pam_google_authenticator.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth

Update /etc/ssh/sshd_config to enable challenge‑response authentication:

# vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes

Restart the SSH service:

# service sshd restart

5. Client Usage

5.1 Android client

Version 5.00 (updated 27 Sep 2017). Download from Google Play or the provided mirror.

5.2 Browser extensions

Chrome and Firefox extensions are available for generating 30‑second codes.

5.3 Python client

import hmac, base64, struct, hashlib, time

def calGoogleCode(secretKey):
    input = int(time.time()) // 30
    key = base64.b32decode(secretKey)
    msg = struct.pack('>Q', input)
    googleCode = hmac.new(key, msg, hashlib.sha1).digest()
    o = ord(googleCode[19]) & 15
    googleCode = str((struct.unpack('>I', googleCode[o:o+4])[0] & 0x7fffffff) % 1000000)
    if len(googleCode) == 5:
        googleCode = '0' + googleCode
    return googleCode

secretKey = '***YOUR_SECRET***'
print(calGoogleCode(secretKey))