Two-Factor Authentication (2FA) on a Linux host is commonly configured using Google Authenticator PAM.
1. Install Google Authenticator
RHEL/Rocky/Oracle Linux:
sudo dnf install google-authenticator qrencode -y
Older systems:
sudo yum install google-authenticator qrencode -y
2. Configure OTP for a User
google-authenticator
Recommended answers:
- Time-based tokens: y
- Update .google_authenticator file: y
- Disallow multiple uses: y
- Increase time skew: n
- Enable rate limiting: y
3. Configure PAM
Edit /etc/pam.d/sshd and add:
auth required pam_google_authenticator.so
4. Configure SSH
Edit /etc/ssh/sshd_config and set:
ChallengeResponseAuthentication yes
UsePAM yes
PasswordAuthentication yes
For newer OpenSSH:
KbdInteractiveAuthentication yes
UsePAM yes
5. Restart SSH
sudo systemctl restart sshd
6. Test Login
ssh user@server-ip
You should be prompted for:
- Password
- Verification code (OTP)
Verify Logs:
RHEL:
sudo tail -f /var/log/secure
Ubuntu:
sudo tail -f /var/log/auth.log
Rollback:
Remove:
auth required pam_google_authenticator.so
from /etc/pam.d/sshd and restart sshd.
No comments:
Post a Comment