How to configure MFA for the SSH service on RHEL 8

This procedure will guide you through the installation and configuration of Google Authenticator on a Red Hat Enterprise Linux 8 server.

This document assumes that:

• you installed the RHEL 8 x64 Operating System according to How to install RHEL 8 via kickstart
• you are performing these tasks as root
• you are performing these tasks in order, as some tasks require others to be completed first

Install required software

dnf -y --enablerepo=epel install google-authenticator qrencode

Configure PAM

/bin/cat <<\EOT >>/etc/pam.d/sshd
# skip one-time password if logging in from the local network
auth [success=done default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so secret=~/.ssh/.google_authenticator nullok
EOT

Create the access file to bypass MFA

Be sure to enter your local network

/bin/cat <<\EOT >/etc/security/access-local.conf
# only allow from local IP range
+ : ALL : 192.168.1.0/24
+ : ALL : LOCAL
- : ALL : ALL
EOT

Configure the SSHD service

/bin/sed -i "s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config
/bin/sed -i "s/#ClientAliveInterval 0/ClientAliveInterval 120/" /etc/ssh/sshd_config
/bin/sed -i "s/#ClientAliveCountMax 3/ClientAliveCountMax 2/" /etc/ssh/sshd_config
/bin/sed -i "/IgnoreRhosts/ a AuthenticationMethods publickey,keyboard-interactive:pam" /etc/ssh/sshd_config
systemctl restart sshd

Setup your account to use Google Authenticator

This should be done using your local account (non-root)

google-authenticator

In order to support SELinux, move your GA kefile into the ~/.ssh directory

cd ~
mv .google_authenticator .ssh/