個人的なメモを残しておきます。

前準備

$ sudo yum -y groupinstall "Development Tools"
$ sudo yum -y install pam-devel

Google Authenticatorのpamモジュールをインストールする

github.com

$ git clone https://github.com/google/google-authenticator-libpam.git
$ cd google-authenticator-libpam/
$ ./bootstrap.sh
$ ./configure
$ make
$ sudo make install

sshdとpamの設定

$ sudo cp /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/
$ sudo cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
$ sudo vi /etc/ssh/sshd_config
$ sudo diff /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
82,83c82,83
< ChallengeResponseAuthentication yes
< #ChallengeResponseAuthentication no
---
> #ChallengeResponseAuthentication yes
> ChallengeResponseAuthentication no
$ sudo sshd -t
$ sudo systemctl restart sshd
$ sudo vi /etc/pam.d/google-auth
$ cat /etc/pam.d/google-auth
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_google_authenticator.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
$ sudo cp -p /etc/pam.d/sshd /etc/pam.d/sshd.bak
$ sudo vi /etc/pam.d/sshd
$ sudo diff /etc/pam.d/sshd /etc/pam.d/sshd.bak
3c3
< #auth       substack     password-auth
---
> auth       substack     password-auth
21,22d20
< auth substack google-auth

OTPの設定(このときにQRコードも表示されるのでアプリを設定する)

$ google-authenticator

sudoにも適用してみよう

$ sudo cp /etc/pam.d/sudo /etc/pam.d/sudo.bak
$ sudo vi /etc/pam.d/sudo
$ diff /etc/pam.d/sudo /etc/pam.d/sudo.bak
2d1
< auth       substack     google-auth