How to Setup Two Factor 2FA Authentication for SSH on Rocky Linux 8

Update the System.

yum update -y

yum upgrade -y

Install EPEL Repository on CentOS 7

dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

Output:

[root@vps ~]# dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
Last metadata expiration check: 0:06:04 ago on Monday 04 October 2021 12:25:58 PM EDT.
epel-release-latest-8.noarch.r  57 kB/s |  23 kB     00:00    
Dependencies resolved.
===============================================================
 Package         Arch      Version       Repository       Size
===============================================================
Installing:
 epel-release    noarch    8-13.el8      @commandline     23 k

Transaction Summary
===============================================================
Install  1 Package

Enable the Power Tools repository.

dnf config-manager --set-enabled powertools

Install and configure required packages.

First need to confirm if the package is available.

yum search google-authenticator

Output:

[root@vps ~]# yum search google-authenticator
CentOS Linux 8 - PowerTools    4.7 MB/s | 2.4 MB     00:00    
Last metadata expiration check: 0:00:01 ago on Monday 04 October 2021 12:37:14 PM EDT.
========= Name Exactly Matched: google-authenticator ==========
google-authenticator.x86_64 : One-time pass-code support using
                            : open standards

Install google-authenticator.

dnf -y install google-authenticator.x86_64 qrencode

Output:

[root@vps ~]# dnf -y install google-authenticator.x86_64 qrencode
Last metadata expiration check: 0:04:13 ago on Monday 04 October 2021 12:37:14 PM EDT.
Package google-authenticator-1.07-1.el8.x86_64 is already installed.
Dependencies resolved.
===============================================================
 Package          Arch      Version         Repository    Size
===============================================================
Installing:
 qrencode         x86_64    3.4.4-5.el8     appstream     27 k
Installing dependencies:
 qrencode-libs    x86_64    3.4.4-5.el8     appstream     59 k

Transaction Summary
===============================================================
Install  2 Packages

Configuring SSH Server

First, need to make SSH use the Google Authenticator PAM module. for this add the following line in /etc/pam.d/sshd file.

vi /etc/pam.d/sshd

Add the following line at the end of the file,

# Add to end
auth required pam_google_authenticator.so

Then modify /etc/ssh/sshd_config.

ChallengeResponseAuthentication yes

Configuring Authentication.

Run the google-authenticator command. 

google-authenticator

This will ask you a series of questions,

Use “time-based” time-based tokens: yes
Update the .google_authenticator file: yes
Disallow multiple uses of the same authentication token: yes
Increase the original generation time limit: no
Enable rate-limiting: yes

Output:

[root@vps ~]# google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@vps.server.com%3Fsecret%3D6MCT2UPCSAQA4UPYZWABIVMYWA%26issuer%3Dvps.server.com
Your new secret key is: 6MCT2UPCSAQA4UPYZWABIVMYWA
Enter code from app (-1 to skip): -1
Code confirmation skipped
Your emergency scratch codes are:
  65099221
  45414359
  26767908
  23294881
  61683830

Install and configure Google Authenticator

Google Authenticator app is available for Android (in the Play Store) and iOS (in iTunes) to generate authentication codes. Download and install it.

image

After installation is completed, set up an account and Scan the barcode printed on your screen during setup or add your secret key to add an SSH account.

Test SSH two factor Authentication,

 # ssh rhel8

Output: 

Password: <Enter SSH Password>
Verification code: <Enter Verificarion code on Google Authenticator>
Activate the web console with: systemctl enable --now cockpit.socket

Your SSH two factor authentication has been successfully configured on RHEL / CentOS 8

CrownCloud - Get a SSD powered KVM VPS at $4.5/month!
Use the code WELCOME for 10% off!

1 GB RAM / 25 GB SSD / 1 CPU Core / 1 TB Bandwidth per month

Available Locations: LAX | MIA | ATL | FRA | AMS
Get Started Now!