We are going to walk you through the process to setup SSH two-factor authentication (2FA) and on RPM-based Linux operating system. We have tested steps works on RHEL/CentOS/RockyLinux. You will need to install Google Authenticator which generate time-based one-time passcode (OTP) on your device to be used for two factor authentication. If you’re really concerned about unauthorized access to your computer, you should definitely add an additional layer of authentication which may help to protect your servers from internal or external threats.
Here, we will use the Google PAM module to enable 2FA so that users can login using time-base-one-time password (TOTP).
Before you begain –
Warning – Before adding your system into two-factor authentication (2FA), you must know that without generated codes, you will not be able to gain access to you system. Every time you want to log in, you should have either smartphone or emergency codes.
. Authenticator application should be installed on your mobile device such as Google Authenticator or Authy.
. Time should be sync.
. Take configuration file backup
Google Authentication PAM module is not available of RPM-based distro, so add the EPEL repository as below.
Enable EPEL Repository
# yum install epel-release
Install Google Authentication module on a RPM-based Linux system with following command.
# dnf install google-authenticator qrencode-libs -y
Once the package is installed login with the user you want to protect with the two-factor authentication. Run following command to begin google-authenticator configuration
This will asks bunch of questions, most of the questions, answer YES unless you require something else other than the default. Keep the above QR code and other codes in a safe location. You might need them if you can’t access Google Authenticator on your phone or lose it.
Install Google Authenticator
Download and install Google Authenticator before enabling and configuring two factor authentication from “Play Store” or “App Store” based on your device.
Next, add an account scanning QR code of the key which was generated at earlier step. you should start getting OTP once you add the account to login on you Linux box.
Configure /etc/pam.d/sshd module
Configure SSH to use Google Authenticator, open file with your favorite editor /etc/pam.d/sshd and add the following line. With the nullok option on the line, SSH will not require an OTP code for users on the machine that are not configured for 2FA.
Note: Always take Config file backup before doing changes in the files.
auth required pam_google_authenticator.so nullok
auth required pam_unix.so no_warn try_first_pass
# vi /etc/ssh/sshd_config
Search line “ChallengeResponseAuthentication no” and change it to “yes” or if the entry is already there and commented with #, remove it and restarted the SSHD service.
# systemctl restart sshd.serivice
Let us test our setup, open terminal and SSH into the Linux host. Open Google Authenticator app on your device and system will prompt for the verification code as shown below:
What if you loose the code or device
In each user’s home directory Google Authenticator settings are saved in a form of hidden file as .google_authenticator. If you open a file, the very first line of the file is a secret key, type it into your authenticator app and you are done.
That’s it. In this post, we have seen how easily can be setup 2FA Google Authenticator on RPM-based Linux. Please share it with others and use comment box below to raise a query if any. Also follow us on tecluesdotcom Facebook Official Page.