Secure Your SSH Logins: How to enable SSH 2FA on AlmaLinux

-

Introduction

Enabling two-factor authentication (2FA) for SSH logins on AlmaLinux significantly enhances your system’s security by adding an extra layer of protection. In this tutorial, we'll guide you through the process of setting up 2FA, ensuring your SSH connections are more secure against unauthorized access.

This method integrates the use of Google Authenticator, providing a simple and effective way to bolster your server’s defense. Follow these detailed steps to configure 2FA on your AlmaLinux system, and safeguard your data with an additional verification step every time you log in.

Install the Google Authenticator on AlmaLinux

sudo dnf install epel-release -y
sudo dnf install google-authenticator qrencode qrencode-libs -y

After install completes, I will create a new secret key in ~/.ssh directory

Run command as follows

google-authenticator -s ~/.ssh/google_authenticator
The output terminal as below

[root@DevopsRoles ~]# google-authenticator -s ~/.ssh/google_authenticator

Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@DevopsRoles.com%3Fsecret%3DDXFSMCJ42VQ7FPMS2VAJ3CIJIE%26issuer%3DDevopsRoles.com

Your new secret key is: DXFSMCJ42VQ7FPMS2VAJ3CIJIE
Your verification code is 222214
Your emergency scratch codes are:
  36072722
  12212187
  31577834
  31344084
  92578576

Do you want me to update your "/root/.ssh/google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
[root@DevopsRoles ~]#

You use mobile device to Get verification codes with Google Authenticator.


 

Configure SSH and PAM

Set up SSH

sudo vi /etc/ssh/sshd_config

Make sure both UsePAM and ChallengeResponseAuthentication are set to yes.

The output should look like this:

[root@DevopsRoles ~]# egrep "ChallengeResponseAuthentication|UsePAM yes" /etc/ssh/sshd_config | grep -v "#"
ChallengeResponseAuthentication yes
UsePAM yes
Setting PAM

sudo vi /etc/pam.d/sshd

Add the following line at the bottom:

auth required pam_google_authenticator.so secret=${HOME}/.ssh/google_authenticator
Restart ssh
sudo systemctl restart sshd
Log into the server. For example, log in to the root account as shown in the picture.

Conclusion

You have successfully enabled SSH 2FA on AlmaLinux, enhancing your system's security with an extra layer of protection. I hope this guide has been helpful to you. Thank you for reading and supporting the DevopsRoles page!

Comments

Post a Comment

Popular posts from this blog

How to Install Python 3.13

-
Introduction Python 3.13, the latest version of the Python programming language, comes with several performance enhancements, improved syntax, and more powerful libraries. Whether you're a beginner or an experienced developer, installing the latest version is crucial for taking full advantage of these features. This deep guide will cover the installation process on Windows, macOS, and Linux, followed by advanced configuration tips for an optimal Python environment. In this tutorial, you'll also learn how to set up virtual environments, manage dependencies, and handle multiple Python versions efficiently. Let’s explore the full how to install Python 3.13 journey across different operating systems and dive into more advanced topics. Why Upgrade to Python 3.13? Before diving into the installation, it’s worth highlighting the key improvements and features that come with Python 3.13: Asynchronous Performance : Enhanced performance for asynchronous operations and networking. Syntax ...
Read more

How to Install Docker on Linux Mint 22: A Step-by-Step Guide

-
Introduction Docker has become an essential tool for developers and system administrators, providing a streamlined way to deploy and manage applications in containers. This guide will walk you through the process of installing Docker on Linux Mint 22, from the basics to more advanced configurations. What is Docker Docker   is a platform designed to simplify the development, deployment, and running of applications by using containers. Containers allow developers to package an application with all its dependencies, ensuring that it runs consistently across different environments. Why Use Docker on Linux Mint 22? Linux Mint 22, known for its stability and user-friendly interface, is an excellent choice for setting up Docker. Whether you're a developer looking to streamline your workflow or a sysadmin managing complex applications, Docker on Linux Mint can significantly enhance your productivity. Prerequisites Before we start, make sure you have the following: A system running Lin...
Read more

zimbra some services are not running [Solve problem]

-
Introduction How to solved zimbra some services are not running. That after, to installed zimbra mail server. The display a some admin console status red in environment multiple server ( zimbra ldap, zimbra mailbox, zimbra mta etc.). Link to below you maybe likes: How to install and configure zimbra multi server.   How to restrict to user sending mail on zimbra 8.6. How to Restrict Sending to Distribution list in zimbra mail. How to change last login time for all accounts in zimbra ldap. How to zimbra reject authenticated sender login mismatch. Error zimbra some services are not running as bellow Step by step guide the solve problem zimbra some services are not running To restart and enable cron service the permanently. service crond restart chkconfig crond on Opening rsyslog.conf file and uncomment the following. vim /etc/rsyslog.conf Uncomment these two lines $modload imupd $UDPServerRun514   To restart and enable rsyslog service the permanently. servic...
Read more