1. Install EPEL and Google authenticator
# yum install epel-release-latest-7or8
# yum update
# yum install google-authenticator -y
2. Under the user for which 2FA has to be enabled, initialize the app
$ google-authenticator
$ Do you want authentication tokens to be time-based (y/n) yes
Scan the qr code. If qr code is not shown in console, copy the http link and paste in a browser. You will get the qr code. Your new secret key is: XXXXXXXXXXXXXXXXXXXXXXXXXXXX Enter code from app (-1 to skip): 3. Enter yes for remaining queries
4. Edit /etc/pam.d/sshd
5. Add the following entry as the last entry. "nullok" means not to enforce google-authenticator. This can be removed once all users have 2FA setup
auth required pam_google_authenticator.so nullok
6. The same entry has to be added other services in /etc/pam.d - whichever you intend to incorporate 2FA. Remove/Keep "nullok" as required
7. Edit the following entries /etc/ssh/sshd_config
PasswordAuthentication yes
ChallegeResponseAuthentication yes
8. Add the following line - "publickey" option is key based authentication if required
AuthenticationMethods publickey,password publickey,keyboard-interactive
9. Restart the sshd service
10. You will notice that the user will be prompted with 3 authentiction options - publickey (ssh-key), password and verification code for ssh