How to configure MFA for the SSH service on RHEL 8 - nomorespice/rhel8-howto GitHub Wiki
This procedure will guide you through the installation and configuration of Google Authenticator on a Red Hat Enterprise Linux 8 server.
This document assumes that:
- you installed the RHEL 8 x64 Operating System according to How to install RHEL 8 via kickstart
- you are performing these tasks as root
- you are performing these tasks in order, as some tasks require others to be completed first
dnf -y --enablerepo=epel install google-authenticator qrencode
/bin/cat <<\EOT >>/etc/pam.d/sshd
# skip one-time password if logging in from the local network
auth [success=done default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so secret=~/.ssh/.google_authenticator nullok
EOT
Be sure to enter your local network
/bin/cat <<\EOT >/etc/security/access-local.conf
# only allow from local IP range
+ : ALL : 192.168.1.0/24
+ : ALL : LOCAL
- : ALL : ALL
EOT
/bin/sed -i "s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config
/bin/sed -i "s/#ClientAliveInterval 0/ClientAliveInterval 120/" /etc/ssh/sshd_config
/bin/sed -i "s/#ClientAliveCountMax 3/ClientAliveCountMax 2/" /etc/ssh/sshd_config
/bin/sed -i "/IgnoreRhosts/ a AuthenticationMethods publickey,keyboard-interactive:pam" /etc/ssh/sshd_config
systemctl restart sshd
This should be done using your local account (non-root)
google-authenticator
In order to support SELinux, move your GA kefile into the ~/.ssh directory
cd ~
mv .google_authenticator .ssh/