How to Setup Multi Factor Authenticator on Linux Server
Setup MFA for Linux Server
Secure your Bastian Server using Google Authenticator
If you are searching for this blog, so I hope you all are aware of what is MFA and why we are using this, otherwise you can go through this Wikipedia link and have a look at it.
Please clear all your doubts about MFA before performing the below setup.
Step 1: Install the Google Authenticator package
sudo yum install google-authenticator
Step 2: Enable MFA for a user
Login as a user for which we want to enable the MFA and do the setup as per below.
google-authenticator
This tool asks a series of questions. For most of these questions, answer yes (y), unless you need something other than the default.
NOTE down the backup codes and copy the secret key to configure MFA on your mobile. You can use Microsoft Authenticator or Google Authenticator as well on your mobile.
Step 3: Configure SSH to prompt for the OTP
NOTE: Backup all the files before editing and keep at least one session connected to prevent you from the failure.
Backup and edit the file /etc/pam.d/sshd
cp /etc/pam.d/sshd /etc/pam.d/sshd.bckp
Add the below line under the auth session in /etc/pam.d/sshd (Screenshot is given below)
auth required pam_google_authenticator.so nullok
nullok:
This parameter ensures that all the users are not forced to login with OTP.
If you want to disable the password authentication comment the below line in under auth section.
#auth substack password-auth
Step 4: Modify the sshd_config file
Backup and edit the file /etc/ssh/sshd_config
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bckp
Find and comment out the line ChallengeResponseAuthentication no and add a new configuration line ChallengeResponseAuthentication yes. This line lets SSH ask for a Challenge Response. In our case, the response is an OTP code after a successful SSH key-based authentication. Here is the line:
To enable this settings for specific user, add the below lines of code.
Match user paresh
AuthenticationMethods publickey,keyboard-interactive
Save the file, and restart the ssh services. And give it try while being connected to the at least one session.
