To use Advanced Authentication in the SSH (Secure Shell) mode, install the Advanced Authentication Linux PAM Client on the server to where you desire to make the SSH connection. For more information on how to install the Linux PAM Client, see Installing and Uninstalling Linux PAM Client.
After installation, configure the following parameters in the file /etc/ssh/sshd_config:
Set PasswordAuthentication to no
Set ChallengeResponseAuthentication to yes
NOTE:In RHEL 9 server and workstation, there might be some issue loading the associated authentication chains during the logon. Therefore, it is required to comment the following parameters in the /etc/ssh/sshd_config.d/50-redhat.conf path in addition to above configuration:
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
To apply the changes in the file sshd_config, you must restart the SSH Service. To restart the SSH Service, run the command sudo service sshd restart in the terminal.
Advanced Authentication secures SSH by providing multi-factor authentication only for the methods that do not require Advanced Authentication Device Service.
NOTE:You can use the Authentication Agent to use methods such as fingerprint and card to secure SSH. For more information, see Enabling the Authentication Agent Chain
.
IMPORTANT:Advanced Authentication does not support the multi-factor authentication to a Terminal or SSH for the domain users when Linux machine is used in a non-domain mode.