Multi-Factor Authentication for CLi machine

Multi-Factor authentication (MFA) is an additional security layer for securing the servers specially while working from remote this can prevent from attacker to gain control of those machines due to the MFA codes which are handy with the users.

Below is the link of the project:
https://github.com/google/google-authenticator-libpam

Download the project using git clone command at local machine:

If we go without custom prefix path then this pam module will compile and install its binary at its default path so that google authenticator module file can be accessible during pam authentication.

During this configuration SELinux was require to disable if you do not know selinux context to allow user's directory after that permission of the .google_authenticator file should be at least 0600 that is read and write permission of user instead you may keep 0400 that is only user can read that file.

gauth pam module path: /lib/security

There are two main files related with gauth pam module pam_google_authenticator.la and pam_google_authenticator.so.

The google-authenticator binary needs to be run under user's environment to initiate MFA and that create .google_authenticator file under user's home directory, it will ask some multiple questions then answer it in y for yes and n for No.

To use MFA is SSH enable ChallengeResponseAuthentication by changing its value from no to yes after editing the file /etc/ssh/sshd_config and restart ssh server service.

This has been tried on Alma Linux 8 OS so there might be chance that the SSh configuration of other OSes are different.

After then add below link in sshd pam file /etc/pam.d/ssh in this case I have used default configuration where module will read .google_authenticator file from user's home directory which can be mode to any place from where user can access it.

In case to add MFS for the Virtual Terminal and same line in file /etc/pam.d/login which has done for the ssh in file /etc/pam.d/sshd.