Jack Wallen walks you through the process of enabling two-factor authentication on the new fork of CentOS, AlmaLinux.
Image: iStock/natasaadzic
In light of the CentOS kerfuffle (check out: Clearing up the CentOS Stream confusion), you might have opted to migrate your Linux servers to the new fork, AlmaLinux. If that’s the case, you’ve either found the process to be incredibly automatic or a bit of a challenge. Once you have AlmaLinux up and running, one of the first things you should do is set up two-factor authentication (2FA) for SSH. After all, you don’t want to rely solely on SSH for authentication to your servers–not in today’s world.
How do you manage this task? Let me walk you through it.
What you’ll need
-
A user with sudo privileges
-
An authenticator app on your mobile device (I prefer Authy on either Android or iOS)
SEE: Identity theft protection policy (TechRepublic Premium)
How to install the google-authenticator command on AlmaLinux
First, we must install the google-authenticator command on AlmaLinux. This software is found in the EPEL repository, which has to be first installed with the command:
sudo dnf install epel-release -y
Once the repo is enabled, install the software (and a tool that will allow QR codes to be printed within a terminal window) with the command:
sudo dnf install google-authenticator grencode-libs -y
How to create an SSH key
You don’t actually need an SSH key on the AlmaLinux server, but you will need the ~/.ssh directory. You can create that manually, but you’d have to make sure the permissions are perfect, otherwise there will be problems. Because of that, it’s best to just let SSH handle the creation of that directory.
To create an SSH key, issue the command:
ssh-keygen
Accept the default location (~/.ssh) and create a password for the key.
How to generate the QR code for 2FA
In order to add AlmaLinux to your 2FA app, we have to run the google-authenticator command. However, we’re going to run it such that it dumps the necessary file into the newly-created ~/.ssh directory. The command for this is:
google-authenticator -s ~/.ssh/google_authenticator
Make sure to answer y to all the questions. When you see the QR code printed in the terminal window (you’ll probably have to expand your terminal window to view the entire code), make sure to add it with your authenticator app on your mobile device–how you do that will depend on the app you use.
Since we’re storing the google_authenticator file in a non-standard location, we need to restore the SELinux context with the command:
sudo restorecon -Rv ~/.ssh/
How to configure SSH for 2FA
Now that you have 2FA set up, you’ll need to configure SSH to work with it. Open the SSH daemon configuration file with the command:
sudo nano /etc/pam.d/sshd
At the bottom of that file, add the following two lines:
auth required pam_google_authenticator.so secret=/home/${USER}/.ssh/google_authenticator nullok auth required pam_permit.so
Save and close the file.
Open the SSH config file with the command:
sudo nano /etc/ssh/sshd_config
Look for the two lines:
#ChallengeResponseAuthentication yes ChallengeResponseAuthentication no
Change those lines to:
ChallengeResponseAuthentication yes #ChallengeResponseAuthentication no
Save and close the file. Restart the SSH daemon with the command:
sudo systemctl restart sshd
How to log in with SSH 2FA
This is important. You’re going to want to test the login before you exit out of your current terminal window, in case something went wrong. Open a second terminal on your local machine and SSH to the remote server. You should be first prompted for a password (or SSH key password, if you have SSH key authentication set up) and then for the 2FA code. If you’re allowed in, success! If not, go back through and check your work.
And that’s how you enable 2FA on the CentOS fork, AlmaLinux. Hopefully, you’ve started to adopt this authentication method for all of your Linux servers. To make this even more secure, you should also enable SSH key authentication (find out how in How to set up ssh key authentication).
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.
Cybersecurity Insider Newsletter
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Also see
Source of Article
