Jack Wallen walks you through the process of enabling two-factor authentication on the new fork of CentOS, AlmaLinux.
In light of the CentOS kerfuffle (check out: Clearing up the CentOS Stream confusion), you might have opted to migrate your Linux servers to the new fork, AlmaLinux. If that’s the case, you’ve either found the process to be incredibly automatic or a bit of a challenge. Once you have AlmaLinux up and running, one of the first things you should do is set up two-factor authentication (2FA) for SSH. After all, you don’t want to rely solely on SSH for authentication to your servers–not in today’s world.
How do you manage this task? Let me walk you through it.
What you’ll need
A user with sudo privileges
An authenticator app on your mobile device (I prefer Authy on either Android or iOS)
You don’t actually need an SSH key on the AlmaLinux server, but you will need the ~/.ssh directory. You can create that manually, but you’d have to make sure the permissions are perfect, otherwise there will be problems. Because of that, it’s best to just let SSH handle the creation of that directory.
To create an SSH key, issue the command:
Accept the default location (~/.ssh) and create a password for the key.
How to generate the QR code for 2FA
In order to add AlmaLinux to your 2FA app, we have to run the google-authenticator command. However, we’re going to run it such that it dumps the necessary file into the newly-created ~/.ssh directory. The command for this is:
Make sure to answer y to all the questions. When you see the QR code printed in the terminal window (you’ll probably have to expand your terminal window to view the entire code), make sure to add it with your authenticator app on your mobile device–how you do that will depend on the app you use.
Since we’re storing the google_authenticator file in a non-standard location, we need to restore the SELinux context with the command:
sudo restorecon -Rv ~/.ssh/
How to configure SSH for 2FA
Now that you have 2FA set up, you’ll need to configure SSH to work with it. Open the SSH daemon configuration file with the command:
sudo nano /etc/pam.d/sshd
At the bottom of that file, add the following two lines:
Change those lines to:
Save and close the file. Restart the SSH daemon with the command:
sudo systemctl restart sshd
How to log in with SSH 2FA
This is important. You’re going to want to test the login before you exit out of your current terminal window, in case something went wrong. Open a second terminal on your local machine and SSH to the remote server. You should be first prompted for a password (or SSH key password, if you have SSH key authentication set up) and then for the 2FA code. If you’re allowed in, success! If not, go back through and check your work.
And that’s how you enable 2FA on the CentOS fork, AlmaLinux. Hopefully, you’ve started to adopt this authentication method for all of your Linux servers. To make this even more secure, you should also enable SSH key authentication (find out how in How to set up ssh key authentication).