How to protect Linux command line login with adaptive MFA
You can protect SSH with adaptive MFA to meet the stringiest authentication requirements. Set up MFA in Linux as passwordless or risk-based smart MFA login flow.
SecureAuth is first and foremost a security company helping enterprises stand-up a robust IAM practice to apply identity verification and security for each and every user login request. SecureAuth’s technology focus is on real-time threat detection to stop persistent malicious attacks on your systems while still delivering a positive authentication experience to users.
While many organizations consistently apply the best-in-class security practices to protect login to applications and network devices, we see too frequently that they do not extend the same level of protection to their Linux servers. Requiring MFA at the Linux endpoint creates a layered defensive posture that is nearly impossible for a bad actor to penetrate, even with compromised credentials or a leaked SSH key. SecureAuth Endpoint for Linux ensures the users accessing your systems are truly the verified users you expect without compromise.
Secure console authentication to virtually any Linux server
The Linux version of SecureAuth Endpoint is designed as a PAM module and technically is very similar to the macOS version of SecureAuth Endpoint PAM module with a few distinct differences. For instance – the way we query Active Directory to get the group membership is not natively available in Linux, so we had to implement this querying in the Linux version.
The new SecureAuth Endpoint for Linux is designed specifically for console authentication. When a user establishes any SSH connections or tries to execute an elevated command like
sudo, the user gets prompted for a password and a second factor (MFA). For a passwordless console authentication flow, the password step is replaced with user’s SSH public key with the SecureAuth Endpoint for Linux PAM module triggering an 2FA prompt immediately after the public key-based authentication is completed.
Push authentication for Linux with SecureAuth Authenticate push OTP
Console authentication with MFA is extremely fast and can be done as a traditional password-based or passwordless login flow (with an SSH key).
Login flow scenario 1 – Linux command line login with password and MFA
For this login flow we have an MFA policy for the Linux servers with push authentication (push notification) through the SecureAuth Authenticate mobile authenticator app.
Here is a summary of the login experience for you as a user:
- In the command line, SSH to your Linux system, i.e.
- Enter password.
- If multiple MFA methods are allowed, you will see a list of enabled MFA methods. Select a number corresponding to the method you want, i.e. SecureAuth Authenticate Push.
- You will get a login approval push notification on your phone. Approve the login.
- You are now authenticated.
Login flow scenario 2 – Linux command line login with passwordless MFA
For a passwordless login flow, upload your public key to the SSH key section on the Linux server – the SSH key will serve as your first factor, replacing the password step.
- SSH into your Linux system, i.e.
- Select “SecureAuth Authenticate Push” (needed only if more MFA options are available).
- Accept push notification on your phone.
- You are authenticated.
Using the SecureAuth Authenticate mobile app to login via push notification as your second factor will create a fast and effective passwordless login flow to securely access your Linux server with MFA. Your first factor is the SSH key, your second factor is SecureAuth Authenticate Push.
Getting started with SecureAuth Endpoint for Linux – Installation
This is how you set up SecureAuth Endpoint on the Linux server in 6 simple steps:
- Configure the SecureAuth Endpoint client in SecureAuth Admin and add a policy.
- Download the SecureAuth Endpoint configuration file (config.json file) from SecureAuth Admin
- Download SecureAuth Endpoint client from www.secureauth.com (i.e.
- Save both the installer and the json files in the same folder on the target Linux machine
- Give the installer execution permissions, same as any Linux binary
- Run the
Configuration changes and installer updates
SecureAuth Endpoint makes an API call to SecureAuth IDaaS for every authentication request to ask for a list of allowed MFA methods. You can modify your MFA settings in SecureAuth without updating the config.json file for the SecureAuth Endpoint for Linux.
If you change configuration parameters for SecureAuth Endpoint (such as “Group Bypass”), you will have to reinstall the client with the updated json config file. Similarly, when you install a new version of SecureAuth Endpoint, you just run the installer with the JSON config file in the same directory as the installer.
Supported Linux distributions for SecureAuth Endpoint
As of April 2021, SecureAuth has tested and actively supports SecureAuth Endpoint client on the following Linux distributions:
- RedHat 8 and newer
- Debian 10 and newer
- Ubuntu 20.04 and newer
Secure your Linux servers. Today.
Applying MFA is a documented best practice outlined by NIST in the publication Framework for Improving Critical Infrastructure Cybersecurity. The SecureAuth Endpoint client for Linux delivers the convenience your developer and admin users expect with the security organizations require.
When we first designed the SecureAuth Endpoint client for Linux, we were pursuing a security goal of making the risk of compromised credentials go away for good. Today, SecureAuth Endpoint makes it possible for any DevOps, infrastructure or engineering team to do just that — a complete switch away from SSH with password to a fully passwordless Linux console login.
So there you have it, folks: SecureAuth Endpoint provides the assurance organizations need to keep bad actors out and protect against compromise, breaches and data exfiltration.
Please reach out to us if you would like to try Linux login with MFA using the graphic user interface.