How to enable 2FA for SSH logins on Rocky Linux,CentOS or RHEL


What is 2fa ?

2FA: for two-factor authentication, is an extra layer of security to make sure that people trying to gain access to an online account are who they say they are, user have to provide after login&password an extra piece of information, this factor could be one of the following :

  • Something you know: This could be a personal identification number (PIN), a password, answers to “secret questions” or a specific keystroke pattern
  • Something you have: Typically, a user would have something in their possession, like a credit card, a smartphone, or a small hardware token
  • Something you are: This category is a little more advanced, and might include biometric pattern of a fingerprint, an iris scan, or a voice print
Two-Factor Authentication Solutions: Double Down on Security
2fa (two-factor authentication complete process)

Installation and configuration

Installing the necessary libraries

First things First, we will install necessary libraries for 2FA, like epel, google authenticator, qr code libs :

dnf install epel-release -y
dnf install google-authenticator qrencode qrencode-libs -y
Install required libs

Setting up Google authenticator

We have to run the google-authenticator to configure it, for demo we will use user falcon

Directory ~/.ssh/google_authenticatoris used to save initialization data for google authenticator

mv .google_authenticator  ~/.ssh/.google_authenticator
Note: Make sure you record the secret key, verification code, and the recovery codes in a safe place, like a password manager. The recovery codes are the only way to regain access if you, for example, lose access to your TOTP app.

The remaining questions inform the PAM how to function. We’ll go through them one by one.

Do you want me to update your "~/.google_authenticator" file (y/n) y

This writes the key and options to the .google_authenticator file. If you say no, the program quits and nothing is written, which means the authenticator won’t work.

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By answering yes here, you are preventing a replay attack by making each code expire immediately after use. This prevents an attacker from capturing a code you just used and logging in with it.

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n

Answering yes here allows up to 8 valid codes in a moving four minute window. By answering no, you limit it to 3 valid codes in a 1:30 minute rolling window, unless you find issues with the 1:30 minute window, answering no is the more secure choice, (in my case I answered yes)

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Rate limiting means a remote attacker can only attempt a certain number of guesses before being blocked. Therefore if you haven’t previously configured rate limiting directly into SSH, doing so now is a great hardening technique.

Note: Once you finish this setup, if you want to back up your secret key, you can copy the ~/.google-authenticator file to a trusted location. From there, you can deploy it on additional systems or redeploy it after a backup.

Now that Google’s PAM is installed and configured, the next step is to configure SSH to use your TOTP key. We’ll need to tell SSH about the PAM and then configure SSH to use it.

Changes to sshd

We have to make some changes to /etc/ssh/sshd_config file:

  • Uncomment PubkeyAuthentication yes
  • Set ChallengeResponseAuthentication to yes: ChallengeResponseAuthentication yes
  • Check if UsePAM is set to Yes: UsePAM yes

At end of file insert the new config below if you are using public key authentication :

AuthenticationMethods password publickey,keyboard-interactive
Warning: make sure you already have an SSH key configured for this setup - you will not be able to login without a password anymore

Changes to pam.d

We have also to make come changes to /etc/pam.d/sshd, so open it with vi or you favourite editor:

  • Add new line with this config: auth required pam_google_authenticator.s secret=${HOME}/.ssh/.google_authenticator

Testing the new config

First we have to restart the sshd service:

sudo systemctl restart sshd

Check with putty if works fine:

Open new session to test the new config without  close the old one in case of issues to restore old config(login with password...)

If you are a Linux geek this post may be is interesting for you

Click to rate this post!
[Total: 1 Average: 5]


Please enter your comment!
Please enter your name here