How to install and configure 2FA on AlmaLinux

Jack Wallen walks you through the process of enabling two-factor authentication on the new fork of CentOS, AlmaLinux.

cybersecurity.jpg

Image: iStock/natasaadzic

More about Open Source

In light of the CentOS kerfuffle (check out: Clearing up the CentOS Stream confusion), you might have opted to migrate your Linux servers to the new fork, AlmaLinux. If that’s the case, you’ve either found the process to be incredibly automatic or a bit of a challenge. Once you have AlmaLinux up and running, one of the first things you should do is set up two-factor authentication (2FA) for SSH. After all, you don’t want to rely solely on SSH for authentication to your servers–not in today’s world.

How do you manage this task? Let me walk you through it.

What you’ll need

  • A user with sudo privileges

  • An authenticator app on your mobile device (I prefer Authy on either Android or iOS)

SEE: Identity theft protection policy (TechRepublic Premium)

How to install the google-authenticator command on AlmaLinux

First, we must install the google-authenticator command on AlmaLinux. This software is found in the EPEL repository, which has to be first installed with the command:

sudo dnf install epel-release -y

Once the repo is enabled, install the software (and a tool that will allow QR codes to be printed within a terminal window) with the command:

sudo dnf install google-authenticator grencode-libs -y

How to create an SSH key

You don’t actually need an SSH key on the AlmaLinux server, but you will need the ~/.ssh directory. You can create that manually, but you’d have to make sure the permissions are perfect, otherwise there will be problems. Because of that, it’s best to just let SSH handle the creation of that directory. 

To create an SSH key, issue the command:

ssh-keygen

Accept the default location (~/.ssh) and create a password for the key.

How to generate the QR code for 2FA

In order to add AlmaLinux to your 2FA app, we have to run the google-authenticator command. However, we’re going to run it such that it dumps the necessary file into the newly-created ~/.ssh directory. The command for this is:

google-authenticator -s ~/.ssh/google_authenticator

Make sure to answer y to all the questions. When you see the QR code printed in the terminal window (you’ll probably have to expand your terminal window to view the entire code), make sure to add it with your authenticator app on your mobile device–how you do that will depend on the app you use. 

Since we’re storing the google_authenticator file in a non-standard location, we need to restore the SELinux context with the command:

sudo restorecon -Rv ~/.ssh/

How to configure SSH for 2FA

Now that you have 2FA set up, you’ll need to configure SSH to work with it. Open the SSH daemon configuration file with the command:

sudo nano /etc/pam.d/sshd

At the bottom of that file, add the following two lines:

auth required pam_google_authenticator.so secret=/home/${USER}/.ssh/google_authenticator nullok auth required pam_permit.so

Save and close the file. 

Open the SSH config file with the command:

sudo nano /etc/ssh/sshd_config

Look for the two lines:

#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

Change those lines to:

ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

Save and close the file. Restart the SSH daemon with the command:

sudo systemctl restart sshd

How to log in with SSH 2FA

This is important. You’re going to want to test the login before you exit out of your current terminal window, in case something went wrong. Open a second terminal on your local machine and SSH to the remote server. You should be first prompted for a password (or SSH key password, if you have SSH key authentication set up) and then for the 2FA code. If you’re allowed in, success! If not, go back through and check your work.

And that’s how you enable 2FA on the CentOS fork, AlmaLinux. Hopefully, you’ve started to adopt this authentication method for all of your Linux servers. To make this even more secure, you should also enable SSH key authentication (find out how in How to set up ssh key authentication).

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Also see