23 lines
878 B
Markdown
23 lines
878 B
Markdown
# MFA - Multi Factor Authentication
|
|
|
|
MFA can be enabled on any standard system with following configuration:
|
|
|
|
```yaml
|
|
# disable kerberos authentication
|
|
ssh_server::enable_gssapi: false
|
|
|
|
# #disable ssh key authentication
|
|
ssh_server::enable_public_key: false
|
|
|
|
|
|
aaa::radius_auth: true
|
|
aaa::radius_shared_secret: ENC[PKCS7,MIIBuQYJK...9Z82qA==]
|
|
aaa::radius_servers: [ 'nps01.psi.ch', 'nps02.psi.ch' ]
|
|
aaa::radius_timeout: 60
|
|
```
|
|
|
|
Beside this, ensure that `ChallengeResponseAuthentication yes` is set correctly in your sshd config (this is the default configuration - so if no changes where configured to sshd this should be ok!).
|
|
|
|
Prerequisite for this is, that your server can reach the RADIUS servers (in the example nps01.psi.ch and nps02.psi.ch) and that you received a shared secret from the RADIUS admin.
|
|
(at the time of writing the RADIUS server are supported by group 9521)
|