At the bottom of the file, add: AuthenticationMethods publickey,keyboard-interactive SSH checks for an SSH key pair ( publickey) and then the OTP code ( keyboard-interactive). Here is the line: #ChallengeResponseAuthentication noįinally, let SSH know to ask for both an SSH key and a verification code to authenticate us. In our case, the response is an OTP code after a successful SSH key-based authentication. This line lets SSH ask for a Challenge Response. Using your favorite text editor open /etc/ssh/sshd_config for editing: $ sudo vi /etc/ssh/sshd_configįind and comment out the line ChallengeResponseAuthentication no and add a new configuration line ChallengeResponseAuthentication yes. In the next step, modify the SSH configuration to display the prompt for the OTP code after the successful SSH key pair authentication. Next, comment out the following line to disable password authentication for logins: #auth substack password-auth Completely remove this option to force every user to use MFA on this system. With the nullok entry on the line, SSH will not require an OTP code for users on the machine that are not configured for MFA. This line of configuration enables PAM to use the Google Authenticator PAM module, which we installed in the previous step. Using your favorite text editor, open /etc/pam.d/sshd for editing: $ sudo vi /etc/pam.d/sshdĪdd the following lines of configuration: auth required pam_google_authenticator.so nullok By default, this limits attackers to no more than three login attempts every 30s.ĭo you want to enable rate-limiting? (y/n) y Configure SSH to prompt for the OTP codeĮdit a couple of SSH configuration files to ask for an OTP code as a second-factor authentication. If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. Do you want me to update your "/home/user/.google_authenticator" file? (y/n) yĭo you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) yīy default, a new token is generated every 30 seconds by the mobile app. Answer the rest of the questions to complete the process. Using an authenticator app like Google Authenticator on a smartphone, scan the QR code generated from the above command. This generates a QR code on the screen, a secret key, and recovery codes. Do you want authentication tokens to be time-based (y/n) y For most of these questions, answer yes ( y), unless you need something other than the default. Run the following command to begin the configuration process: $ sudo google-authenticator Next, configure google-authenticator to generate OTP codes. To do so, open a Terminal window and run the following command: $ sudo dnf install google-authenticator -y Implement the Google Authentication moduleįirst, install the Google Authentication module on a Linux machine. In this article, we use the Google PAM module to enable MFA so users can log in by using time-based one-time password (TOTP) codes. Pluggable Authentication Modules (PAM) are the authentication mechanism used in Linux. The additional information may be a one-time password (OTP) sent to your cell phone via SMS or credentials from an app like Google Authenticator, Twilio Authy, or FreeOTP. Multi-factor authentication requires users to provide more than one piece of information to authenticate successfully to an account or Linux host. When you SSH into a Linux machine, you may be asked for an SSH key pair. Usually, when you sign in to an account or device, you are asked for a username and password. For information on supported authentication methods, read Identity Management and Two-Factor Authentication Using One-Time Passwords. The authentication module described in this article is not supported by Red Hat. Multi-factor authentication (MFA) is a method of requiring more than one credential to prove your identity. One way to achieve added security is by adding an extra layer of authentication. With the rising number of breaches and password compromises, we need as many security layers as possible. How well do you know Linux? Take a quiz and get a badge.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |