Digital Marketing

Set Up Multi-Factor Authentication for SSH on Amazon/Oracle Linux/CentOS/Fedora

Step 1 — Installing Google’s PAM

$ sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ sudo yum install google-authenticator

Run the initialization app.

$ google-authenticator

Once you finish this setup, if you want to back up your secret key, you can copy the ~/.google-authenticator file to a trusted location. From there, you can deploy it on additional systems or redeploy it after a backup.

Step 2 — Configuring OpenSSH and Making SSH Aware of MFA

Edit /etc/pam.d/sshd
Append the last line to the bottom of the file:
# Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare auth required pam_google_authenticator.so nullok

The nullok word at the end of the last line tells the PAM that this authentication method is optional. This allows users without a OATH-TOTP token to still log in using their SSH key. Once all users have an OATH-TOTP token, you can remove nullok from this line to make MFA mandatory.

Find the line auth substack password-auth at the top of the file. Comment it out by adding a # character as the first character on the line. This tells PAM not to prompt for a password.
Edit /etc/ssh/sshd_config
Look for ChallengeResponseAuthentication lines, change it from no to yes
Append the following the line to the bottom of the file:

AuthenticationMethods publickey,password publickey,keyboard-interactive

This line tells SSH we need a SSH key and either a password or a verification code.

restart SSH.

sudo systemctl restart sshd.service

Test and it should work.

Comments

Popular posts from this blog

Fixed WSL sshd: no hostkeys available -- exiting

PowerMTA pmta command

How to fix: mv: failed to preserve ownership