In today’s increasingly digital world, security is of paramount importance. One effective way to add an extra layer of protection to your Oracle Linux server is by enabling two-factor authentication (2FA). In this tutorial, we’ll walk you through the process of how to enable 2FA on Oracle Linux server. Before we begin, make sure you have a working Oracle Linux server and administrative access to it.
Table of Contents
- Installing Google Authenticator PAM module
- Configuring SSH for 2FA
- Setting up Google Authenticator for users
- Testing the 2FA setup
How to set up Two-Factor Authentication on Oracle Linux
Before we proceed, you need to have the following prerequisites:
- A working Oracle Linux server with SSH access (refer to our guide on how to use SSH keys on Oracle Linux)
- Root access or an account with sudo privileges
- A smartphone with the Google Authenticator app installed
2. Installing Google Authenticator PAM module
First, let’s install the necessary package for Google Authenticator. Log in to your Oracle Linux server via SSH and run the following command:
sudo yum install google-authenticator -y
This command installs the Google Authenticator PAM (Pluggable Authentication Module) for our server.
How to Enable 2FA on Oracle Linux
3. Configuring SSH for 2FA
After installing the Google Authenticator PAM module, we need to configure SSH to use it for 2FA. To do this, open the
/etc/pam.d/sshd file using your preferred text editor, such as vim or nano. In this example, we’ll use vim:
sudo vim /etc/pam.d/sshd
Add the following line at the beginning of the file:
auth required pam_google_authenticator.so
Next, open the SSH configuration file
sudo vim /etc/ssh/sshd_config
Find the line that starts with
ChallengeResponseAuthentication and change its value to
yes. If the line is commented out (i.e., it starts with a
#), remove the
# to uncomment it:
Save the changes and restart the SSH service:
sudo systemctl restart sshd
4. Setting up Google Authenticator for users
Now, each user who requires 2FA must set up their own Google Authenticator. As a user, run the following command:
This command generates a QR code, a secret key, verification code, and emergency scratch codes. Do not share these with anyone. Use your smartphone to scan the QR code with the Google Authenticator app, or manually enter the secret key.
google-authenticator command will ask you a series of questions. Answer them as follows:
- Do you want authentication tokens to be time-based (y/n): Enter
yfor time-based tokens, which are more secure.
- Do you want me to update your “/home/username/.google_authenticator” file? (y/n): Enter
yto save the generated settings to the
- Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n): Enter
yfor added security.
- By default, tokens are good for 30 seconds and to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)? Enter
nto keep the default settings.
- If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n)? Enter
yto enable rate-limiting.
5. Testing the 2FA setup
Now that you’ve set up 2FA for your user account, it’s time to test the configuration. Open a new terminal window or SSH client and attempt to log in to your Oracle Linux server using your username and password. After entering your password, you’ll be prompted for a verification code.
Open the Google Authenticator app on your smartphone and enter the current 6-digit code displayed in the app. If everything is set up correctly, you’ll be granted access to the server. If you encounter any issues, review the previous steps and ensure your configurations are correct.
Congratulations! You’ve successfully enabled two-factor authentication on your Oracle Linux server using Google Authenticator. This added layer of security will help protect your server from unauthorized access. Remember that each user on your server needs to configure Google Authenticator individually to use 2FA.
For more tutorials on Oracle Linux, check out our other guides: