[HowTo] Secure Your VestaCP Centos 7 VPS with Two-factor Google Authenticator
[HowTo] Secure Your VestaCP Centos 7 VPS with Two-factor Google Authenticator
Install the Google-Authenticator
Google-Authenticator app is available on all of the mobile phones, you can download the Android app from Google Play and the IOS app (iPhone users) from the App Store.
Installing Google’s PAM
PAM (Pluggable Authentication Module) is authentication infrastructure based on Linux system to authenticate a user.
First of all install EPEL repository with the following command:
Now install the Google’s PAM:
Configuring Google’s PAM
After the installation process is finished, you can run the script which helps you generate a key for the user you want to add a second factor for, this key is generated on a user-based system not system-wide, this means every user that wants to use an OTP auth will need to log in and run the generator script to get their own key.
Execute the following command to run the initialization script:
After you run the command, you’ll be asked a few questions. The first one asks if authentication tokens should be time-based. it’s recommended to answer with “Y”.
After that, a huge QR code will appear on your terminal which you have to scan it with your Phone so the profile automatically adds to your Google-Authenticator app.
And also make sure to write down the “secret key”, “verification code”, and “emergency scratch codes” So if you lost your phone or accidentally remove the Application from it you will be able to log in to your server.
Now you will be prompt for some questions which inform PAM how to function, go ahead and answer them with “Y” or “N” and it’s pretty easy to choose whats best for you.
Configuring SSH
After you answered all the questions, your Google’s PAM is ready and configured. now we just have to do some configuration for our SSH.
Open up the SSH configuration file with the following command:
Add the following line at the very end of the file:
Now we will configure SSH to support this kind of authentication, Open the “sshd_config” file with the command below:
Look for the line that refers to “ChallengeResponseAuthentication” and set its value to “yes”. like below:
Restart your SSH service and you are good to go:
From now on you will be asked for a “Verification-code”, which you have to get if from your Google-Authenticator app form your phone.
Google-Authenticator app is available on all of the mobile phones, you can download the Android app from Google Play and the IOS app (iPhone users) from the App Store.
Installing Google’s PAM
PAM (Pluggable Authentication Module) is authentication infrastructure based on Linux system to authenticate a user.
First of all install EPEL repository with the following command:
Code: Select all
yum install epel-releaseCode: Select all
yum install google-authenticatorAfter the installation process is finished, you can run the script which helps you generate a key for the user you want to add a second factor for, this key is generated on a user-based system not system-wide, this means every user that wants to use an OTP auth will need to log in and run the generator script to get their own key.
Execute the following command to run the initialization script:
Code: Select all
google-authenticatorAfter that, a huge QR code will appear on your terminal which you have to scan it with your Phone so the profile automatically adds to your Google-Authenticator app.
And also make sure to write down the “secret key”, “verification code”, and “emergency scratch codes” So if you lost your phone or accidentally remove the Application from it you will be able to log in to your server.
Now you will be prompt for some questions which inform PAM how to function, go ahead and answer them with “Y” or “N” and it’s pretty easy to choose whats best for you.
Configuring SSH
After you answered all the questions, your Google’s PAM is ready and configured. now we just have to do some configuration for our SSH.
Open up the SSH configuration file with the following command:
Code: Select all
nano /etc/pam.d/sshdCode: Select all
auth required pam_google_authenticator.so nullokCode: Select all
nano /etc/ssh/sshd_configCode: Select all
ChallengeResponseAuthentication yesCode: Select all
systemctl restart sshd-
adamjedgar
- Posts: 43
- Joined: Tue Apr 18, 2017 7:55 am
Re: [HowTo] Secure Your VestaCP Centos 7 VPS with Two-factor Google Authenticator
Has anyone tried this recently?
I just followed this through and I am not asked for Google Authentication (login in using either root or admin users)
Does it only apply to normal users?
I just followed this through and I am not asked for Google Authentication (login in using either root or admin users)
Does it only apply to normal users?
-
grayfolk
- Support team
- Posts: 1111
- Joined: Tue Jul 30, 2013 10:18 pm
- Contact:
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: [HowTo] Secure Your VestaCP Centos 7 VPS with Two-factor Google Authenticator
This is applyed for SSH users only, not for login into Vesta CP via web interface.adamjedgar wrote: ↑Sat Jun 08, 2019 1:52 amHas anyone tried this recently?
I just followed this through and I am not asked for Google Authentication (login in using either root or admin users)
Does it only apply to normal users?
-
adamjedgar
- Posts: 43
- Joined: Tue Apr 18, 2017 7:55 am
Re: [HowTo] Secure Your VestaCP Centos 7 VPS with Two-factor Google Authenticator
Oh ok. No worries thanks for that.
Perhaps this could be a feature request for future versions as other control panels have this for the admin interface (ie Virtualmin uses it).
Perhaps this could be a feature request for future versions as other control panels have this for the admin interface (ie Virtualmin uses it).
-
servtelecom
- Posts: 24
- Joined: Mon Oct 22, 2018 3:30 pm
- Os: CentOS 6x
- Web: apache + nginx
Re: [HowTo] Secure Your VestaCP Centos 7 VPS with Two-factor Google Authenticator
It would be nice if it were applied to all services, that is to say that it would serve so that exim, dovecot and ssh, when having this option activated they have to force the device to be registered in order to be used.
Lately they are getting to guess the mail passwords and by many filters they put they do it equally, with this double validation, if the device is not in a server database, it could not use them.
More suggestions would be a greater control of fail2ban and also a greater control of exim to edit the files spam-block.conf white-list.conf to be able to block or let pass with more comfort of configuration
Lately they are getting to guess the mail passwords and by many filters they put they do it equally, with this double validation, if the device is not in a server database, it could not use them.
More suggestions would be a greater control of fail2ban and also a greater control of exim to edit the files spam-block.conf white-list.conf to be able to block or let pass with more comfort of configuration
Re: [HowTo] Secure Your VestaCP Centos 7 VPS with Two-factor Google Authenticator
I also think the same way. This is applied for SSH users only...servtelecom wrote: ↑Mon May 25, 2020 12:45 pmIt would be nice if it were applied to all services, that is to say that it would serve so that exim, dovecot and ssh, when having this option activated they have to force the device to be registered in order to be used.
Lately they are getting to guess the mail passwords and by many geometry dash filters they put they do it equally, with this double validation, if the device is not in a server database, it could not use them.
More suggestions would be a greater control of fail2ban and also a greater control of exim to edit the files spam-block.conf white-list.conf to be able to block or let pass with more comfort of configuration