How to implementing 2FA for SSH on Rocky Linux 8

As security breaches become increasingly sophisticated, implementing robust security measures is crucial. Two-factor authentication (2FA) adds an extra layer of security to
SSH (Secure Shell) sessions, ensuring that only authorized users gain access. Rocky Linux 8, a community enterprise operating system, provides a secure environment for the deployment of services and applications, include secure remote access with SSH.

To set up 2FA on Rocky Linux 8 for SSH, we will use Google Authenticator or Microsoft Authenticator as the Time-based One-Time Password (TOTP) provider. The process involves installing the Google Authenticator PAM (Pluggable Authentication Module) and configuring SSH to use this module.

1. Install epel-release and update your package list:

   sudo dnf -y install epel-release sudo dnf -y update

2. Install libqrencode package

   sudo dnf -y install qrencode-libs

3. Install Google Authenticator

   sudo dnf -y install google-authenticator

1. Check if SELinux is enabled or disabled. In a default RL8 installation, it will be Enforcing. Commenting out SELINUX=enforcing or SELINUX=permissive, and adding the line SELINUX=diabled. Then reboot the server after saving the file.

   ... #SELINUX=enforcing SELINUX=disabled ...

2. Reboot Rocky Linux 8.

1. Run the following command to configure 2FA for your user:

2. Switch to the PAM User (e.g. admin):

   su - admin

3. Run Google Authenticator

   google-authenticator

4. You will prompted with a series of questions:

   • Do you want authentication tokens to be time-based (y/n)? → Type y and press Enter.

   • You will see a QR code. Scan it with your Google Authenticator or Microsoft Authenticator app (or any TOTP-based app).

   • Copy and save the backup codes displayed.

   • Do you want me to update your "~/.google_authenticator" file? (y/n) → Type y and press Enter.

   • Do you want to disallow multiple uses of the same authentication token? (y/n) → Type y and press Enter.

   • Do you want to increase the time window? (y/n) → Type n and press Enter.

   • Do you want to enable rate-limiting? (y/n) → Type y and press Enter.

5. Ensure

1. Open the PAM configuration file:

   sudo vi /etc/pam.d/sshd

2. Add the following line at the top of the file:

   auth required pam_google_authenticator.so auth required pam_unix.so

   e.g.

   #%PAM-1.0 auth required pam_google_authenticator.so auth required pam_unix.so auth substack password-auth auth include postlogin account required pam_sepermit.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session optional pam_motd.so session include password-auth session include postlogin

3. Save and exit the file.

1. Open the SSH daemon configuration file:

   sudo vi /etc/ssh/sshd_config

2. Find the line:

   ChallengeResponseAuthentication no

   Change it to:

   ChallengeResponseAuthentication yes

3. Find the line:

   UsePAM no

   Change it to:

   UsePAM yes

4. Save and exit.

Restart SSH to apply the changes:

1. Open a new terminal and try to SSH into the server:

   ssh admin@your-server-ip

2. You should be prompted for:

   • Your password

   • A verification code from the Google Authenticator app.

1. Open /etc/security/access.conf

   sudo vi /etc/security/access.conf

2. Add the following lines to restrict access to only users with 2FA:

   -:ALL EXCEPT username root:ALL

   Replace username with the actual username you want to allow.

3. Save and exit.

• Add a secondary SSH key-based authentication in case you loss access.

• Test the configuration before logging out.

• Keep your energency backup codes safe.

To enforce SSH key + 2FA only, disable password login:

1. Open /etc/ssh/sshd_config

   sudo vi /etc/ssh/sshd_config

2. Set:

   PasswordAuthentication no

3. Restart SSH:

   sudo systemctl restart sshd

Adding two-factor authentication to your SSH sessions on Rocky Linux 8 is straightforward and significantly improves security. By following the steps outlined in this guide, you can protect your remote connections with an additional authentication factor, making it much harder for malicious actors to compromise your systems.