How to install and configure 2FA on AlmaLinux?

How to install and configure 2FA on AlmaLinux?

Jack Wallen takes you to the new CentOS fork, AlmaLinux, to allow two-factor authentication.

In view of the CentOS Kerfuffle, you may want to move your Linux servers to the new fork AlmaLinux (check out Clearing the CentOS Stream confusion). If so, you have found the procedure either unbelievably automatic or a little difficult. If AlmaLinux is up and running, you can first set up 2-factor authentication (2FA) for SSH. After all, you don’t just want SSH to authenticate your servers – not in the world today.

How are you doing this task? Allow me to walk through you.

What are you going to need?

  • A sudo privileged user
  • A mobile device authenticator app (In Android or iOS, I prefer Authy)

How to install the google-authenticator command on AlmaLinux

First, we must install the google-authenticator command on AlmaLinux. This software is found in the EPEL repository, which has to be first installed with the command:

sudo dnf install epel-release -y

Once the repo is enabled, install the software (and a tool that will allow QR codes to be printed within a terminal window) with the command:

sudo dnf install google-authenticator grencode-libs -y

How to create an SSH key

You don’t actually need an SSH key on the AlmaLinux server, but you will need the ~/.ssh directory. You can create that manually, but you’d have to make sure the permissions are perfect, otherwise there will be problems. Because of that, it’s best to just let SSH handle the creation of that directory. 

To create an SSH key, issue the command:


Accept the default location (~/.ssh) and create a password for the key.

How to generate the QR code for 2FA

In order to add AlmaLinux to your 2FA app, we have to run the google-authenticator command. However, we’re going to run it such that it dumps the necessary file into the newly-created ~/.ssh directory. The command for this is:

google-authenticator -s ~/.ssh/google_authenticator

Make sure to answer y to all the questions. When you see the QR code printed in the terminal window (you’ll probably have to expand your terminal window to view the entire code), make sure to add it with your authenticator app on your mobile device–how you do that will depend on the app you use. 

Since we’re storing the google_authenticator file in a non-standard location, we need to restore the SELinux context with the command:

sudo restorecon -Rv ~/.ssh/

How to configure SSH for 2FA

Now that you have 2FA set up, you’ll need to configure SSH to work with it. Open the SSH daemon configuration file with the command:

sudo nano /etc/pam.d/sshd

At the bottom of that file, add the following two lines:

auth       required secret=/home/${USER}/.ssh/google_authenticator nullok 
auth       required

Save and close the file. 

Open the SSH config file with the command:

sudo nano /etc/ssh/sshd_config

Look for the two lines:

#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

Change those lines to:

ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

Save and close the file. Restart the SSH daemon with the command:

sudo systemctl restart sshd

How to log in with SSH 2FA

This is important. You’re going to want to test the login before you exit out of your current terminal window, in case something went wrong. Open a second terminal on your local machine and SSH to the remote server. You should be first prompted for a password (or SSH key password, if you have SSH key authentication set up) and then for the 2FA code. If you’re allowed in, success! If not, go back through and check your work.

And that’s how you enable 2FA on the CentOS fork, AlmaLinux. Hopefully, you’ve started to adopt this authentication method for all of your Linux servers. To make this even more secure, you should also enable SSH key authentication,

How to install and configure 2FA on AlmaLinux?

Rajat Singh
Rajat Singh is the chief Author at Bioinformatics India, he has been writing for the past 3 years and has a special interest in SEO, Technology, Health, Life Sciences and gaming.

Get in Touch

Related Articles

Get in Touch


Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Latest Posts