Setup MFA/2FA authentication for CLi

How to setup multi-factor authentication (MFA) or two-factor authentication (2FA) for command-line interface (CLi).

Multi-factor authentication (MFA) is a additional security layer for securing the servers while working from remote this can prevent from attacker to gain control of those machines due to the MFA codes which are handy with the users.

In this example we will try google authenticator PAM module. For more info about this project, you may follow below link.

$ git clone https://github.com/google/google-authenticator-libpam        

If we go without prefix path this PAM module and its binary will copy at it require places so that google authenticator module file can be accessible during pam authentication.

During this setup disable SELinux, in case if you do not know selinux context to allow user's directory.

After that make sure to assign permission 0600 to file ~/.google_authenticator that is read and write permission for user, to enhance you may assign permission 0400 that is only user can read that file.

gauth pam module path:

# ls -1 /lib/security
pam_google_authenticator.la
pam_google_authenticator.so        

Run google-authenticator binary under user's environment to initiate creation of new secret key file ~/.google_authenticator this will ask some questions answer it by pressing y for Yes and n for No.

$ google-authenticator        

To use MFA in SSh enable ChallengeResponseAuthentication by changing its value from no to yes after editing the file /etc/ssh/sshd_config with text editor.

# vim /etc/ssh/sshd_config

# grep ^Challenge /etc/ssh/sshd_config
ChallengeResponseAuthentication yes        

And restart ssh server service:

# systemctl restart sshd        

This has been tried on AlmaLinux 8 so there might be chance that the SSh configuration of other OSes are different.

After then add below line in sshd PAM file /etc/pam.d/sshd in this example I choose default configuration where module read ~/.google_authenticator file from user's home directory which can be movable at any place of user's accessibility.

auth required pam_google_authenticator.so secret=~/.google_authenticator nullok        

In case to add MFA for the Virtual Terminal add above line under file /etc/pam.d/login.