How to Enable 2FA on Oracle Linux

In today’s increasingly digital world, security is of paramount importance. One effective way to add an extra layer of protection to your Oracle Linux server is by enabling two-factor authentication (2FA). In this tutorial, we’ll walk you through the process of how to enable 2FA on Oracle Linux server. Before we begin, make sure you have a working Oracle Linux server and administrative access to it.

Table of Contents

1. Prerequisites
2. Installing Google Authenticator PAM module
3. Configuring SSH for 2FA
4. Setting up Google Authenticator for users
5. Testing the 2FA setup
6. Conclusion

How to set up Two-Factor Authentication on Oracle Linux

1. Prerequisites

Before we proceed, you need to have the following prerequisites:

• A working Oracle Linux server with SSH access (refer to our guide on how to use SSH keys on Oracle Linux)
• Root access or an account with sudo privileges
• A smartphone with the Google Authenticator app installed

2. Installing Google Authenticator PAM module

First, let’s install the necessary package for Google Authenticator. Log in to your Oracle Linux server via SSH and run the following command:

sudo yum install google-authenticator -y

This command installs the Google Authenticator PAM (Pluggable Authentication Module) for our server.

How to Enable 2FA on Oracle Linux

3. Configuring SSH for 2FA

After installing the Google Authenticator PAM module, we need to configure SSH to use it for 2FA. To do this, open the /etc/pam.d/sshd file using your preferred text editor, such as vim or nano. In this example, we’ll use vim:

sudo vim /etc/pam.d/sshd

Add the following line at the beginning of the file:

auth required pam_google_authenticator.so

Next, open the SSH configuration file /etc/ssh/sshd_config:

sudo vim /etc/ssh/sshd_config

Find the line that starts with ChallengeResponseAuthentication and change its value to yes. If the line is commented out (i.e., it starts with a #), remove the # to uncomment it:

ChallengeResponseAuthentication yes

Save the changes and restart the SSH service:

sudo systemctl restart sshd

4. Setting up Google Authenticator for users

Now, each user who requires 2FA must set up their own Google Authenticator. As a user, run the following command:

google-authenticator

This command generates a QR code, a secret key, verification code, and emergency scratch codes. Do not share these with anyone. Use your smartphone to scan the QR code with the Google Authenticator app, or manually enter the secret key.

The google-authenticator command will ask you a series of questions. Answer them as follows:

• Do you want authentication tokens to be time-based (y/n): Enter y for time-based tokens, which are more secure.
• Do you want me to update your “/home/username/.google_authenticator” file? (y/n): Enter y to save the generated settings to the .google_authenticator file.
• Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n): Enter y for added security.
• By default, tokens are good for 30 seconds and to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)? Enter n to keep the default settings.
• If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n)? Enter y to enable rate-limiting.

5. Testing the 2FA setup

Now that you’ve set up 2FA for your user account, it’s time to test the configuration. Open a new terminal window or SSH client and attempt to log in to your Oracle Linux server using your username and password. After entering your password, you’ll be prompted for a verification code.

Open the Google Authenticator app on your smartphone and enter the current 6-digit code displayed in the app. If everything is set up correctly, you’ll be granted access to the server. If you encounter any issues, review the previous steps and ensure your configurations are correct.

6. Conclusion

Congratulations! You’ve successfully enabled two-factor authentication on your Oracle Linux server using Google Authenticator. This added layer of security will help protect your server from unauthorized access. Remember that each user on your server needs to configure Google Authenticator individually to use 2FA.

For more tutorials on Oracle Linux, check out our other guides:

• How to install Fail2Ban on Oracle Linux
• How to install OpenVPN server on Oracle Linux
• How to install Ruby on Oracle Linux
• How to change SSH port on Oracle Linux
• How to install Git on Oracle Linux