Secure Your SSH Login with Google Authenticator: Step‑by‑Step Guide

1. SSH Connection

Secure Shell (SSH) is an encrypted network protocol that provides a secure transmission environment for network services, most commonly used for remote login to Unix‑like systems and also supported on Windows.

2. Google Authenticator

Google Authenticator is a time‑based one‑time password (TOTP) software token that implements the algorithms defined in RFC 6238 and RFC 4226, generating six‑ to eight‑digit codes for two‑step verification on Google services and third‑party applications.

3. Installing on Linux

3.1 System environment

<code>[[email protected] /root] clsn.io Blog WebSite<br/># cat /etc/redhat-release<br/>CentOS release 6.8 (Final)<br/><br/>[[email protected] /root] clsn.io Blog WebSite<br/># uname -a<br/>Linux clsn.io 4.10.5-1.el6.elrepo.x86_64 ...<br/><br/>[[email protected] /root] clsn.io Blog WebSite<br/># sestatus<br/>SELinux status: disabled</code>

3.2 Install Google Authenticator

3.2.1 Install dependencies

<code>yum -y install wget gcc make pam-devel libpng-devel</code>

3.2.2 Install PAM plugin

<code># wget https://github.com/google/google-authenticator/archive/1.02.tar.gz<br/>tar xf 1.02.tar.gz<br/>cd google-authenticator-1.02/libpam/<br/>./bootstrap.sh<br/>./configure<br/>make && make install</code>

3.2.3 Copy .so file

<code># cp /usr/local/lib/security/pam_google_authenticator.so /lib64/security/</code>

4. Configure SSH + Google Authenticator

4.1 Initial configuration

<code># google-authenticator<br/>Do you want authentication tokens to be time-based (y/n) n<br/>... (QR code generated) ...<br/>Your new secret key is: ****<br/>Your verification code is 5****0<br/>Your emergency scratch codes are:<br/> 40****84<br/> 19****95<br/> 60****78<br/> 83****92<br/> 31****58<br/>Do you want me to update your "/root/.google_authenticator" file? (y/n) y<br/>By default, three tokens are valid at any one time...<br/>Do you want to enable rate‑limiting (y/n) y</code>

4.2 SSH PAM configuration

<code># vim /etc/pam.d/sshd<br/>auth required pam_google_authenticator.so<br/># cat /etc/pam.d/sshd<br/>auth required pam_sepermit.so<br/>auth required pam_google_authenticator.so<br/>auth include password-auth<br/>account required pam_nologin.so<br/>account include password-auth<br/>password include password-auth<br/>session required pam_selinux.so close<br/>session required pam_loginuid.so<br/>session required pam_selinux.so open env_params<br/>session required pam_namespace.so<br/>session optional pam_keyinit.so force revoke<br/>session include password-auth</code>

Modify

/etc/ssh/sshd_config

to set

ChallengeResponseAuthentication no

, then restart the SSH service.

<code># service sshd restart</code>

5. Client usage

5.1 Android client

Download the Google Authenticator app (version 5.00, updated 2017‑09‑27) from the Google Play Store or the provided mirror.

5.2 Browser extensions

Chrome and Firefox extensions for Google Authenticator generate a new OTP every 30 seconds and can be used on desktop browsers.

5.3 Python client

<code>import hmac, base64, struct, hashlib, time<br/><br/>def calGoogleCode(secretKey):<br/>    input = int(time.time()) // 30<br/>    key = base64.b32decode(secretKey)<br/>    msg = struct.pack(">Q", input)<br/>    googleCode = hmac.new(key, msg, hashlib.sha1).digest()<br/>    o = ord(googleCode[19]) & 15<br/>    googleCode = str((struct.unpack(">I", googleCode[o:o+4])[0] & 0x7fffffff) % 1000000)<br/>    if len(googleCode) == 5:<br/>        googleCode = '0' + googleCode<br/>    return googleCode<br/><br/>secretKey = '***your secret***'<br/>print(calGoogleCode(secretKey))</code>