Playing with Google Authenticator and Oracle Cloud – Securing SSH to Oracle account with two factor authentication

The Requirement

Increase security when connecting via SSH to the Oracle OS account at Oracle Cloud by implementing two factor authentication (TFA or 2FA).

The Environment

  • Oracle Cloud Instance
  • OS: Oracle Linux 6.9

The Implementation

For this exercise we will implement Google Authenticator as our TFA solution in our Oracle Cloud Instance and configure it to secure the Oracle OS account.

Note: Google Authenticator doesn’t connect to Google when authenticating — all the work happens on your SSH server and your phone. Google Authenticator is a open-source software, that means you can check the codes yourself.

Step 1 – Install dependencies for Google Authenticator Module

The first step would be to connect to your server, in this case our Instance at Oracle Cloud as root and as shown bellow install the required dependency package  “pam-devel”, by running:

$ yum install pam-devel


Step 2: Download Google Authenticator Module

You can find the open source of Google Authenticator here and compile it yourself, or download the compiled and ready to use version here .

At my case, I decided to download the compiled version as bellow:

$ wget


Step 3: Install the Google Authenticator Module

Install the downloaded  Google Authenticator module by issuing the tar command as shown bellow:

$ rpm -ivh google-authenticator-0-0.3.20110830.hgd525a9bab875.el6.x86_64.rpm


Step 4: Run and configure Google Authenticator

The next steps to install Google authenticator for the Oracle OS user account. So, for this we will need to:

  1. Connect to the Oracle account by issuing su – oracle
  2. Execute the command google-authenticator as oracle
  3. Enter y [yes] when asked to update your “~/.google_authenticator” file
  4. Enter y [yes] when asked to disallow multiple uses of the same authentication
  5. Enter y [yes] when asked to confirm that tokens are good for 30 seconds and in order to compensate for
    possible time-skew between the client and the server
  6. Enter y [yes] when asked to limit attackers to no more than 3 login attempts every 30s


Note 1: Please save the Secret Key due that we will require it later

Note 2: Save the emergency scratch codes, due that you never know when you will require one 😉

Note 3: Please keep the page with the secret code open, if not the key will not work when entering it to the app later – if closed just connect to user Oracle and run the command to install and configure google authenticator again (step 4).

Step 5: Configure SSH to use Google Authenticator PAM Module

Connect as root again and open your PAM configuration file /etc/pam.d/sshd (Using vi /etc/pam.d/sshd), then add the following line at the top of the file:

auth required


Next up, open your SSH configuration file /etc/ssh/sshd_config (using vi /etc/ssh/sshd_config), and modify the line containing ChallengeResponseAuthentication no:

ChallengeResponseAuthentication no
(change it to)
ChallengeResponseAuthentication yes


To have these changes take effect, restart SSH server using one of the bellow commands:

service ssh restart
service sshd restart
/etc/init.d/ssh restart
/etc/init.d/sshd restart

Why showing 4 commands? Because depending on your Linux distribution, some refers SSH Daemon as SSHD, some as SSH, some got service module installed, some requires you to go into /etc/init.d folder and restart SSH service manually.


Note: Do not forget to set a password to the user Oracle if not done previously.

$ passwd oracle

Step 6: Configure your SmartPhone for Google Authenticator App

Now is time to install the Google Authenticator app on your phone and configure it. You can download it from:

More detailed per device install instructions can be found on this page:

Assuming you managed to install the App properly, Launch your Google Authenticator app in your SmartPhone (My example would be with iOS).

Click on Begin Setup at the bottom of the screen and select Manual Entry.


Enter an Account Name that would easily identify it for you, and enter the Secret Key generated  when you installed and configured Google Authenticator on step 4, then click ok on the top right of the screen.


Now you are ready to use it 🙂



Step 7: Test Connectivity

Now connect to your Oracle account in your server via ssh, and enter your Google Authentication code show on your app and then enter your password for your Oracle user and, DONE!


Have fun, Francisco Munoz Alvarez

Tagged with: ,
Posted in Cloud, General, Linux, Oracle Cloud, Others, Security, Tutorials
2 comments on “Playing with Google Authenticator and Oracle Cloud – Securing SSH to Oracle account with two factor authentication
  1. David Horgan says:

    Thanks for this, great blog with clear steps to follow. One question, does this only work in Cloud environments or is it possible to use in an On Premise setup also? And also for various other users?


    • Hi David, Thank you so much for your kind words. Regarding your question it can be implemented on any Cloud environment and on premise also. I have implemented on many on premises environments before with success . You can implement it to any OS user and also use the same authentication on diferente servers by installing everything on the other servers and copying your initial .google_authenticator file to the servers . This way you can use your code to access all your servers instead to have a code to each one .

      Hope this helps, Francisco

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: