Basically this adds 2FA to your SSH login to foil all those brute forcers.
Install
“qrencode” and “qrencode-libs” are optional to display that upon config generation. Added for completeness.
# dnf -y install epel-release
# dnf -y install google-athenticator qrencode qrencode-libsConfiguration
Fresh install
# google-authenticator -t
> -1 (skip ,unless you want to confirm it working on phone)
> y (write it out to $HOME/.google_authenticator)
> y (1 login per 30s)
> y (allow skew of up to 4 minutes)
> y (rate limit 3 per 30s)Fix: /etc/ssh/sshd_config
UsePAM yes
ChallengeResponseAuthentication yesFix: /etc/pam.d/sshd. Add to bottom..
auth required pam_google_authenticator.soBackup/Restore
Save the .google_authenticator file in each home directory. Per user
Further information
Troubleshooting
It’s not asking for google auth?
Check /etc/ssh/sshd_config.d/50-redhat.conf (or /etc/ssh/sshd_config.d/*.conf).
I want it to NOT ask Google-Auth for some IPs?
Add the block just above the pam_google_authenticator.so line
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access.conf
Format of /etc/security/access.conf
+ : ALL : 192.168.1.0/24
+ : ALL : LOCAL
+ : ALL : OTHERIPSHERE
#All other hosts need two step verification
- : ALL : ALL
There is definitely no package google-authenticator on Alma Linux 9!