Rocky Linux 9 Google Auth install guide?

Hi all,

I’m trying to install and activate Google Authenticator for SSH on RockyLinux 9 and I’m hitting some speedbumps. Does anyone have a guide on how to do this?

I installed these RPMs from EPEL9:


Edited /etc/pam.d/sshd and played with various authenticator related options. Simply adding …

auth required

… to the top of it doesn’t seem to suffice, though. I also tried …

auth required secret=${HOME}/.google_authenticator

… instead, as my .google_authenticator files are directly in the home directories of users.

Also tried all the usual stuff in /etc/ssh/sshd_config that seem to work in EL7 and EL8 and on Debian or Ubuntu. Like …

UsePAM yes
PasswordAuthentication no
ChallengeResponseAuthentication yes

Then the typical guides for other distributions recommend to set either …

AuthenticationMethods publickey,keyboard-interactive:pam

… or …

AuthenticationMethods publickey,keyboard-interactive

…, but then SSHd on Rocky9 refuses to start, as “keyboard-interactive” allegedly isn’t supported.

My bottomline so far is: Either SSHd refuses to start, or it goes straight to key-based authentication, ignoring the authenticator. And yes: The user I’m trying to login has run “google-authenticator”, finished the setup, linked the authenticator and has a sensible .google_authenticator file in his home directory.

echo "ChallengeResponseAuthentication yes" > /etc/ssh/sshd_config.d/10-gauth.conf

and restart sshd

Thank you, @Ritov! This didn’t get me all the way there, but it made me look in the right places. I had overlooked /etc/ssh/sshd_config.d/ and hadn’t been aware that I had files in there that were overriding whatever I directly put into my modified /etc/ssh/sshd_config

For the benefit of others who look for a solution and stumble across this topic, here is what I did:

From Epel9 I installed these RPMs:

dnf install google-authenticator qrencode qrencode-libs

Then I fixed up the SSH configuration:

sed -i 's|^ChallengeResponseAuthentication no|#ChallengeResponseAuthentication no|g' /etc/ssh/sshd_config.d/50-redhat.conf

echo "ChallengeResponseAuthentication yes" > /etc/ssh/sshd_config.d/10-gauth.conf

Edited /etc/pam.d/sshd to change it to this:


auth       substack     password-auth
auth       include      postlogin
auth       required secret=${HOME}/.google_authenticator nullok no_increment_hotp

account    required
account    required
account    include      password-auth
password   include      password-auth
# close should be the first session rule
session    required close
session    required
# open should only be followed by sessions to be executed in the user context
session    required open env_params
session    required
session    optional force revoke
session    optional
session    include      password-auth
session    include      postlogin

Then I made some further changes to /etc/ssh/sshd_config and my combined SSHd config now looks like this:

]# cat /etc/ssh/sshd_config.d/* /etc/ssh/sshd_config|grep -v ^#|awk NF 
PermitRootLogin yes
ChallengeResponseAuthentication yes
Include /etc/crypto-policies/back-ends/opensshserver.config
SyslogFacility AUTHPRIV
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
PrintMotd no
Include /etc/ssh/sshd_config.d/*.conf
AuthorizedKeysFile      .ssh/authorized_keys
Subsystem       sftp    /usr/libexec/openssh/sftp-server
PermitRootLogin yes
StrictModes no
AllowTcpForwarding no
X11Forwarding no
X11DisplayOffset 10
PubkeyAuthentication yes
Protocol 2
Port 22

# Want password-auth generally on? Use this:
PasswordAuthentication yes

# Want password only for users of google-authenticator group,
# provided they don't have a pubkey set up? Use this instead:
Match Group google-authenticator
    AuthenticationMethods publickey keyboard-interactive
Match all
    AuthenticationMethods publickey

Then I added the group ‘google-authenticator’ and added all users with configured Google Authenticator to it:

groupadd google-authenticator
usermod -aG google-authenticator [username of user with GoogleAuth set up]

That way it now works like this:

  • User not in group ‘google-authenticator’ and doesn’t have SSH keys exchanged?

They get: Permission denied (publickey).

  • User has SSH key exchanged, but isn’t in ‘google-authenticator’ group?

Can login w/o password - just with the SSH key.

  • User has SSH key exchanged, is in group ‘google-authenticator’ and has authenticator configured?

They get in just with the key.

  • User has NO key exchanged, is in group ‘google-authenticator’ and has authenticator configured?

They get asked for their password and the verification code from the authenticator.

There are probably other/better ways to do it, but the above suits my usage needs best. Playing around with the ‘AuthenticationMethods’ one can pretty much tweak it to other usage cases. Such as to require OTP and/or passwords for key based logins as well.

1 Like

Thanks for a detail guideline on this :slight_smile:

1 Like