Oracle Linux 2FA SSH Guide

Resources

• EPEL Repository Root
• Oracle Linux 8 Repository
• OL8 ARM64 google-authenticator (as of 2/19/22)

Steps

• Download the latest version available from the link above
  • wget <link>
• Install google-authenticator rpm
  • yum --nogpgcheck localinstall google-authenticator<tab>.rpm
• Install qrencode-libs dependency
  • yum install qrencode-libs
• Run google-authenticator
  • google-authenticator
  • Follow the prompts, answering yes to each of them
  • Scan QR code with Authenticator app
  • Copy down emergency codes
• Copy google-authenticator config to writable location
  • cp ~/.google_authenticator ~/.ssh/.google_authenticator
• Update PAM file
  • sudo nano /etc/pam.d/sshd
  • Comment out:
    • auth substack password-auth
  • Add under previous line
    • auth required pam_google_authenticator.so secret=/home/${USER}/.ssh/.google_authenticator
• Update SSHD config
  • sudo nano /etc/ssh/sshd_config
  • Ensure the following are set:
    • PermitRootLogin no
    • AuthorizedKeysFile .ssh/authorized_keys
    • PermitEmptyPasswords no
    • PasswordAuthentication no
    • ChallengeResponseAuthentication yes
    • UsePAM yes
  • At the bottom of the file add:
    • AuthenticationMethods publickey,keyboard-interactive
• Restart sshd service
  • sudo systemctl restart sshd