CentOS: Enabling Two-Factor Authentication for Enhanced Security

With Protectimus multi-factor authentication (MFA) solution, you can set up CentOS two-factor authentication (2FA) in a few steps.

1. How CentOS Two-Factor Authentication (2FA) Works

After you enable CentOS 2FA, your users will need to use two authentication passwords to get access to their CentOS accounts:

1. The first is a standard password (something the user keeps in memory);
2. The second is a one-time password valid only for 30 or 60 seconds (the one-time password is generated with the help of a hardware OTP token or a 2FA app on a user’s phone – something that the user owns and has to carry with them).

This way, the CentOS account becomes protected with two different authentication factors. Even if the hacker steals the users’s password using phishing, brute force, social engineering, data spoofing, or any other attack, they can’t access the CentOS account without the one-time password from a user’s 2FA token.

This guide shows how you can set up CentOS two-factor authentication (2FA) using Protectimus RADIUS 2FA component for the integration with Protectimus Cloud 2FA service or Protectimus On-Premise MFA Platform.

2. How to Enable CentOS Two-Factor Authentication (2FA)

You can set up CentOS two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS 2FA Service or On-Premise 2FA Platform and configure basic settings.
2. Install Protectimus PAM module for CentOS 2FA
3. Install and configure Protectimus RADIUS Server module.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the Radius box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install Protectimus PAM module for CentOS 2FA

yum -y install epel-release
yum -y install pam_radius

2.3. Install and configure Protectimus RADIUS Server

1. Install protectimus-radius

git clone https://github.com/protectimus/platform-linux.git
cd platform-linux/radius
edit config/radius.yml
docker compose up -d

2. Configure radius.yml file.
   
   Configure Protectimus RADIUS Server settings in the radius.yml file. It must be located in the same directory as the executable.
   
   You will find detailed instructions on available properties that you can add to the radius.yml file in our Protectimus RADIUS Server Configuration Guide.
   
   The example of radius.yml file configuration:

radius:
  secret: secret
  auth-port: 1812

auth:
  #  Could be :
  #  - LDAP
  #  - PROTECTIMUS_PASSWORD
  #  - PROTECTIMUS_OTP
  #  - PROTECTIMUS_PUSH
  providers:
	- PROTECTIMUS_OTP

protectimus-api:
  login: login@domain.com
  api-key: aslkjdljsdlaskmWpXjT5K0xqLXkd3
  url: https://api.protectimus.com/
  resource-name: radius
  resource-id: 723

3. Edit pam_radius config, configure secret
   
   /etc/pam_radius.conf

# server[:port] shared_secret  	timeout (s)
127.0.0.1   	secret         	1

4. Configure SSH to use challenge response
   
   /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

5. Execute the command systemctl restart sshd

6. Configure PAM for SSH to use RADIUS
   
   Add auth required pam_radius_auth.so after auth substack password-auth into /etc/pam.d/sshd

#%PAM-1.0
auth   	required 	pam_sepermit.so
# protectimus pam radius
auth   	substack 	password-auth
auth   	required 	pam_radius_auth.so
auth   	include  	postlogin
# Used with polkit to reauthorize users in remote sessions
-auth  	optional 	pam_reauthorize.so prepare