Lab Project: 2FA with Google Authenticator

  • Piggybacking off of @scottalanmiller's Jump Box tutorial, I'm going to create a quick tutorial for 2FA on a Jump Box or whatever you would like to use it on.

    First create a new Jump Box or use an existing server:


    Update the server:

    yum update

    then install packages:

    yum install epel-release unzip fail2ban pam-devel make gcc wget automake autoconf libtool pam-devel qrencode ntp

    Download the github repo for Google Authenticator:





    cd google-authenticator/libpam/

    Next compile google authenticator:

    make install
    ln -s /usr/local/lib/security/ /usr/lib64/security/

    Add this line in /etc/pam.d/sshd

    auth       required


    sed -r -i 's/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config
    sed -r -i 's/ChallengeResponseAuthentication no/#ChallengeResponseAuthentication no/g' /etc/ssh/sshd_config

    Reload ssh:

    systemctl reload sshd

    Start ntp:

    systemctl start ntpd

    Finally use this to get the QR code and key

    google-authenticator -tdf --rate-limit=3 --rate-time=30 --window-size=17

    That's about it. Now you can use 2FA on your Jump Box or whatever server you choose.

  • Service Provider

    That's awesome. This was actually on my list to do. Thanks!

  • So I figured out that if you want to use key based authentication you need to change the line from

    auth       required


    auth       sufficient

    You will also need to add this line to your /etc/ssh/sshd_config file:

    AuthenticationMethods publickey,keyboard-interactive

    Then set up the public key like you normally would and disable password logins. If you leave it as required, it will always ask you for a password.

  • Nice Guide. Can you please add a link to the Jumpbox guide, I missed it.....

  • @anonymous said:

    Nice Guide. Can you please add a link to the Jumpbox guide, I missed it.....

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.