How to combine SSH key authentication and two-factor authentication on Linux

Jack Wallen shows you how to set up both two-factor authentication and SSH key authentication for a rock-solid remote login of your Linux servers.

Chances are you administer your Linux machines by way of logging in via SSH. If you do, you should probably have already configured two-factor authentication to help lock down that login. But what if you want to take that one massive step forward by enabling SSH key authentication? The one-two punch of two-factor authentication and key authentication really makes your Linux server a challenging fortress to penetrate.

I've covered both setting up two-factor authentication on CentOS 7 and Linux, and SSH key authentication on Linux. It's actually quite an easy task to undertake.

However, there's one slight problem. You cannot simply configure two-factor authentication as per usual. When using two-factor authentication in conjunction with SSH key authentication, you must take extra measures to ensure it will function as expected. It's no more challenging than setting up both systems, you just have to make a few configuration changes.

What you need

You should first have physical access to the Linux server you are going to configure. The last thing you want is to be working on this remotely, only to find you've locked yourself out of your machine. Next, you need to make sure you have both two-factor authentication and SSH key authentication working. Do these one at a time. First set up two-factor authentication. Once that is working, comment out the new lines in both /etc/ssh/sshd_config and /etc/pam.d/sshd and restart sshd. Once you have two-factor authentication disabled, set up SSH key authentication. After you are able to log into your server, using key authentication, we'll re-configure two-factor authentication to allow it to function with key authentication.

The configuration

The first thing to do is open /etc/pam.d/sshd. You have commented out (added a # at the beginning of the line):

auth required

Leave that commented out. At the top of that file (Under #%PAM-1.0) add the following:

auth sufficient

Save and close that file.

Next, open /etc/ssh/sshd_config. In that file, you'll need to configure the following lines:

ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive
PasswordAuthentication no

If you see any of the above lines commented out, remove the # to uncomment them. If you don't see any of the above lines, make sure to add them. If you see those lines configured in any different way, edit them to reflect the above. Once you've made those modifications, save and close the file. Restart sshd with the command:

sudo systemctl restart sshd

You should now be able to log into the server with the combination of two-factor authentication and SSH key authentication. If not, reboot the server. I've witnessed a few instances where restarting the SSH daemon wasn't enough.

Solid SSH security

You'd be hard-pressed to find a more secure means of logging into your Linux servers, than with the one-two punch of two-factor authentication and SSH key authentication. Get these set up on a test server, make sure it works, and then once you've got the hang of it make it happen on all of your Linux servers. This is absolutely rock-solid SSH security.

Also See

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website

Editor's Picks

Free Newsletters, In your Inbox