How to configure 2FA authentication using Google authenticator on Centos 7 CLI.

This is a quick reference guide on how to configure 2FA authentication using Google authenticator on Centos 7.

WARNING: Please be extremely cautious when configuring this as you could potentially lock yourself out of your system if mis-configured.

In this guide I will create a separate user for 2FA authentication and leave root as password authentication only.

1. Create a new user

[root@vpscen ~]# adduser authtest
[root@vpscen ~]# passwd authtest
Changing password for user authtest.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

2. Edit /etc/ssh/sshd_config

[root@vpscen ~]# nano /etc/ssh/sshd_config

Change ChallengeResponseAuthentication to yes

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

3. Install Google Authenticator

[root@vpscen ~]#yum update
[root@vpscen ~]# yum install google-authenticator

4. Change to user and run Google Authenticator

IMPORTANT: Only run this command in the user account that you would like to authenticate using 2FA Authentication.

[root@vpscen ~]# su authtest
[authtest@vpscen root]$ google-authenticator

Once you have run the google-authenticator command and answered some questions about your preferences, you will receive your token information to set up your token used to generate your OTP.

If by accident you run this command in the wrong user account: To revert this you can delete this from the users home directory by running the following command.

[root@vpscen ~]#rm /home/authtest/.google_authenticator

To remove from root

[root@vpscen ~]#rm .google_authenticator

5. Change back to root and edit /etc/pam.d/sshd

[authtest@vpscen ssh]$ exit
[root@vpscen ssh]#
nano /etc/pam.d/sshd

add the following line to the bottom of the file:

auth required nullok

6. Restart sshd

[root@vpscen ssh]# service sshd restart

7. Test Authentication

At this point I would open a duplicate putty window and test that root still has password authentication.

To test the 2FA authentication – you will be prompted for you password and then your OTP that is generated using your google Authenticator app.

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to

Thank you for reading and please feel free to leave any feedback.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s