The right way to set up and configure 2FA on AlmaLinux

Jack Wallen walks you thru the method of enabling two-factor authentication on the brand new fork of CentOS, AlmaLinux.

Picture: iStock/natasaadzic

In mild of the CentOS kerfuffle (try: Clearing up the CentOS Stream confusion), you may need opted emigrate your Linux servers to the brand new fork, AlmaLinux. If that is the case, you have both discovered the method to be extremely computerized or a little bit of a problem. After getting AlmaLinux up and working, one of many first issues you need to do is ready up two-factor authentication (2FA) for SSH. In any case, you do not need to rely solely on SSH for authentication to your servers–not in at this time’s world.

How do you handle this job? Let me stroll you thru it.

What you will want

  • A person with sudo privileges

  • An authenticator app in your cellular machine (I desire Authy on both Android or iOS)

SEE: Identification theft safety coverage (TechRepublic Premium)

The right way to set up the google-authenticator command on AlmaLinux

First, we should set up the google-authenticator command on AlmaLinux. This software program is discovered within the EPEL repository, which needs to be first put in with the command:

sudo dnf set up epel-release -y

As soon as the repo is enabled, set up the software program (and a device that can enable QR codes to be printed inside a terminal window) with the command:

sudo dnf set up google-authenticator grencode-libs -y

The right way to create an SSH key

You do not really need an SSH key on the AlmaLinux server, however you’ll need the ~/.ssh listing. You possibly can create that manually, however you’d have to verify the permissions are good, in any other case there shall be issues. Due to that, it is best to only let SSH deal with the creation of that listing. 

To create an SSH key, concern the command:


Settle for the default location (~/.ssh) and create a password for the important thing.

The right way to generate the QR code for 2FA

As a way to add AlmaLinux to your 2FA app, we now have to run the google-authenticator command. Nevertheless, we’ll run it such that it dumps the mandatory file into the newly-created ~/.ssh listing. The command for that is:

google-authenticator -s ~/.ssh/google_authenticator

Be certain to reply y to all of the questions. While you see the QR code printed within the terminal window (you will in all probability should increase your terminal window to view all the code), be sure so as to add it together with your authenticator app in your cellular device–how you do that can rely on the app you employ. 

Since we’re storing the google_authenticator file in a non-standard location, we have to restore the SELinux context with the command:

sudo restorecon -Rv ~/.ssh/

The right way to configure SSH for 2FA

Now that you’ve 2FA arrange, you will have to configure SSH to work with it. Open the SSH daemon configuration file with the command:

sudo nano /and so forth/pam.d/sshd

On the backside of that file, add the next two strains:

auth       required secret=/dwelling/${USER}/.ssh/google_authenticator nullok 
auth       required

Save and shut the file. 

Open the SSH config file with the command:

sudo nano /and so forth/ssh/sshd_config

Search for the 2 strains:

#ChallengeResponseAuthentication sure
ChallengeResponseAuthentication no

Change these strains to:

ChallengeResponseAuthentication sure
#ChallengeResponseAuthentication no

Save and shut the file. Restart the SSH daemon with the command:

sudo systemctl restart sshd

The right way to log in with SSH 2FA

That is vital. You are going to need to take a look at the login earlier than you exit out of your present terminal window, in case one thing went improper. Open a second terminal in your native machine and SSH to the distant server. You ought to be first prompted for a password (or SSH key password, you probably have SSH key authentication arrange) after which for the 2FA code. In the event you’re allowed in, success! If not, return via and examine your work.

And that is the way you allow 2FA on the CentOS fork, AlmaLinux. Hopefully, you have began to undertake this authentication technique for your entire Linux servers. To make this much more safe, you also needs to allow SSH key authentication (learn how in The right way to arrange ssh key authentication).

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the most recent tech recommendation for enterprise professionals from Jack Wallen.

Additionally see

You May Also Like

Leave a Reply

Your email address will not be published.