How to enable 2FA-enabled SSH log-ins for Rocky Linux
A 2024 study from the University of Utah analyzed 427 million SSH attacks over a four-year period. They found that SSH attacks are numerous, frequent, and expected to continue rising in coming years. Even with a secure enterprise OS like Rocky Linux, sysadmins need to employ every tool possible to prevent breaches and other malicious behavior.
One of the best ways to further protect SSH-enabled systems is with two-factor authentication (2FA) SSH logins. SSH is fairly secure on its own, but anyone with credentials might be able to access your server remotely, whether by direct login attempt or lateral movement in the event of a breach. Requiring a 2FA code can put a quick stop to these types of attacks.
Thankfully, it’s easy to enable 2FA logins for SSH on Rocky Linux. With 2FA logins, users must have account credentials and 2FA codes to access your servers. Setting it up requires changing some configuration files and installing the Google Authenticator app for any users who’ll be accessing the server.
Let’s take a look at how it’s done.
Getting started with 2FA SSH logins
To add 2FA authentication to your SSH logins, you'll need:
- A running instance of Rocky Linux 9
- A user with sudo privileges on that instance
- A mobile phone to run the Google Authenticator app
If you’d rather not use Google’s solution, take a look at other time-based one-time password (TOTP) solutions like Authy or Bitwarden. This tutorial is only going to cover Google integration.
Set up Rocky Linux for TOTP with Google Authenticator
From your Rocky Linux server, add the Extra Packages for Enterprise Linux (EPEL) repository with the command:
sudo dnf install epel-release -y
When that’s done, install the Google Authenticator software with the command:
sudo dnf install google-authenticator -y
It’s not required, but we recommend installing qrencode, an open source package that generates TOTP-embedded QR codes directly in the terminal window:
sudo dnf install qrencode-libs -y
Install and configure Google Authenticator for your mobile device
Now we’re going to get things working on your mobile device. Install the TOTP app (e.g., Google Authenticator) on your Android or iOS device. The app generates temporary 6-digit 2FA codes that are unique for every user.
To associate the TOTP app with a user’s Rocky server account, log in as the user you wish to configure on your server and issue the command:
google-authenticator
You will first be asked if you want the codes to be time-based (yes, you do). Type y
and hit Enter on your keyboard. You will then be presented with a QR code. (Note: You might have to resize your terminal window to make it fit.)
Add the server to your mobile device’s Google Authenticator app
Once you have the QR code, open the Google Authenticator app on your phone, create a new entry (click the + icon in the corner), and scan the QR code with the app.
You'll be presented with a secret key and emergency scratch codes. Save that information in a secure place.
Type y
for the rest of the prompts to finish setup. When you finish, you should be back at the bash prompt, ready to continue.
Configure Rocky Linux PAM files for 2FA SSH logins
Now it’s time to set up your server’s SSH config file, which is handled in /etc/ssh/sshd_config
. You’ll need to use sudo to edit this file. Add the following two lines at the bottom:
UsePAM yes
ChallengeResponseAuthentication yes
Next, we're going to modify the Pluggable Authentication Modules (PAM) config at /etc/pam.d/sshd. This file tells SSH to use the TOTP configurations we’ve just added. This is a really important file, so take great caution when editing it. It’s best practice to back up this file before you make any changes. You can use the command:
sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
We’re going to make sure the top three lines look like this:
auth substack password-auth
auth include postlogin
auth required pam_google_authenticator.so secret=${HOME}/.google_authenticator nullok no_increment_hotp
Note: the no_increment_hotp
option ensures the counter isn't incremented for failed attempts.
Save and close the file.
Just in case: Set up a failsafe before applying the SSH changes
It’s easy to make mistakes updating PAM files, so before we restart the SSH daemon to apply all the configuration changes, we’re going to set up a failsafe with another SSH session. Open a terminal on another machine on your network, log in via SSH to the server, and keep it open. Once you’re logged in, just leave it alone until we get through the next few steps.
Okay, assuming you have your failsafe SSH session open, it’s time to restart the SSH daemon using this command:
sudo systemctl restart sshd
Cross your fingers because it’s go time!
Test from another machine
On yet another machine, open a terminal and attempt an SSH login with the user who ran the google-authenticator command above. That user should first be prompted for their SSH password and then for a verification code.
Use the verification code from the Google Authenticator app on your phone and type it into the prompt. Upon successful authentication, you should find yourself at the terminal of your Rocky Linux server. Party time!
If you are unable to login to the server after making these changes, you can use the failsafe session you opened before restarting sshd to investigate, troubleshoot, or revert the changes.
And that's all there is to add 2FA for Rocky Linux SSH logins. This adds an extra layer of security to your logins and can go a long way in preventing bad actors from gaining access to your machines.
Congratulations! You’re more secure with 2FA SSH
So that’s it! Great work! You’ve set up 2FA for SSH for a user on your Rocky Linux server. If you’re looking to do this on other Linux distros, the process is largely the same. Anyone who’s read this far is probably capable of porting over the instructions to other Linux distros.
If you ran into any issues or have specific questions, feel free to send us an email (we can’t promise we can help, but we might): info@ciq.com
And if there are other tutorials you’d like to see, send us an email at the same address. We’d love to produce more helpful Rocky Linux content for you.