How to enable SSH 2FA on AlmaLinux for more secure logins
If you’ve started rolling out AlmaLinux to your data centers, you should enable 2FA for SSH authentication. Jack Wallen shows you how.
AlmaLinux is a drop-in replacement for CentOS that also happens to be a 1:1 binary replacement for Red Hat Enterprise Linux. Chances are pretty good you’ll be deploying this enterprise-ready Linux server distribution soon. When you do, you want to make sure it’s as secure as possible.
One way to beef up the security of any Linux server is to enable two-factor authentication (2FA) for SSH logins. This setup is quite easy and makes remote connections considerably more secure. Instead of simply typing a password or key passphrase for SSH authentication, you’ll also have to enter a six-digit 2FA code from your favorite authentication app (such as Authy or Google Authenticator).
SEE: Security incident response policy (TechRepublic Premium)
What you’ll need
Note: You should make the initial SSH connection to your server and remain in that connection and do the testing from a new terminal window—that way you can troubleshoot if necessary.
How to install the Google Authenticator on AlmaLinux
This is not the same as the Google Authenticator app you install on your mobile device. This Google Authenticator is installed on your server and makes it possible to add 2FA to SSH logins.
To install the Google Authenticator on AlmaLinux, you must first add the EPEL repository with the command:
sudo dnf install epel-release -y
Once that is taken care of, install Google Authenticator with the command:
sudo dnf install google-authenticator qrencode qrencode-libs -y
After the installation completes, run the command to create a new secret key that will be housed in your ~/.ssh directory:
google-authenticator -s ~/.ssh/google_authenticator
Answer y to the first question and then make sure to resize your terminal window to display the entire QR code. Open your TOTP app (either Authy or Google Authenticator) on your mobile device and add a new account. Scan the QR code and then, when prompted on the AlmaLinux terminal, type the six-digit code presented by the app. Answer y to the remaining question and you’re ready to configure SSH and PAM on the server.
How to configure SSH and PAM
The first thing we must do is configure the SSH daemon. Open the file with the command:
sudo nano /etc/ssh/sshd_config
I’m going to show you how to configure this for standard password/2FA and SSH key/2FA. The most secure method is using the SSH key authentication and 2FA combination. First, I’ll show you how to configure standard password/2FA authentication. Open the SSH daemon configuration file with the command:
sudo nano /etc/ssh/sshd_config
In that file, make sure both UsePAM and ChallengeResponseAuthentication are set to Yes. Save and close the file.
Open the PAM sshd configuration file with the command:
sudo nano /etc/pam.d/sshd
In that file, add the following line at the bottom:
auth required pam_google_authenticator.so secret=${HOME}/.ssh/google_authenticator
Save and close the file.
Restart the SSH daemon with the command:
sudo systemctl restart sshd
If you’d prefer to configure SSH key authentication/2FA, open the SSH daemon configuration file with the command:
sudo nano /etc/ssh/sshd_config
In that file, make sure both UsePAM and ChallengeResponseAuthentication are set to Yes. Also, make sure PubkeyAuthentication is set to Yes, and at the bottom of the file, add the following line:
AuthenticationMethods publickey,keyboard-interactive
Save and close the file.
Next, open the PAM configuration file with the command:
sudo nano /etc/pam.d/sshd
At the bottom of this file, comment out (add a leading #) the line:
auth substack password-auth
Finally, add the following line at the bottom:
auth required pam_google_authenticator.so secret=${HOME}/.ssh/google_authenticator
Save and close the file.
Restart SSH with the command:
sudo systemctl restart sshd
How to login with 2FA
When you attempt to log in to your AlmaLinux server, you will either be prompted for your user password and a 2FA code or your SSH key passphrase and a 2FA code. Either way, without the 2FA code, you won’t be gaining access to the server.
Understand, this means anytime you need to SSH into your AlmaLinux server, you’ll need your mobile device handy, so you can generate the six-digit 2FA code. That’s a solid inconvenience for the added layer of security gained by this setup.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.