Wednesday, March 12, 2025

Multi-Factor Authentication for Red Hat Enterprise Linux (RHEL) 9

Microsoft does not provide a native version of the Microsoft Authenticator application for Red Hat Enterprise Linux (RHEL) 9 or any other Linux distribution. However, you can implement multi-factor authentication (MFA) on your RHEL 9 system using alternative methods that are compatible with standard authenticator apps, including Microsoft Authenticator.

Option 1: Using the Google Authenticator PAM Module

The Google Authenticator Pluggable Authentication Module (PAM) allows you to set up time-based one-time password (TOTP) authentication on your Linux system. These TOTP codes can be generated by various authenticator apps, including Microsoft Authenticator. Here's how to set it up:

Install the Google Authenticator PAM Module:

First, ensure that the Extra Packages for Enterprise Linux (EPEL) repository is enabled:
```
bash
sudo dnf install epel-release
```
Then, install the google-authenticator package:
```
bash
sudo dnf install google-authenticator
```
Configure the Google Authenticator for Your User Account:

Run the following command to set up Google Authenticator for your user account:
```
bash
google-authenticator
```
You'll be prompted with a series of questions. It's generally safe to answer 'yes' (y) to each prompt. This process will generate a QR code and a secret key.
Set Up the Authenticator App:

Open the Microsoft Authenticator app on your smartphone, select the option to add a new account, and choose the "Other" account type. Scan the QR code displayed during the google-authenticator setup or manually enter the secret key.
Configure SSH to Require MFA:

To enforce MFA for SSH logins, you'll need to modify the PAM and SSH configurations:
- Edit the PAM Configuration for SSH:
  
  Open the SSH PAM configuration file:
```
bash
sudo nano /etc/pam.d/sshd
```
  Add the following line at the end of the file:
```
swift
auth required pam_google_authenticator.so nullok
```
  The nullok option allows users who haven't set up MFA to log in without it. Remove this option to enforce MFA for all users.
- Modify the SSH Daemon Configuration:
  
  Edit the SSH daemon configuration file:
```
bash
sudo nano /etc/ssh/sshd_config
```
  Ensure the following settings are configured:
```
nginx
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
```
  These settings enable challenge-response authentication and require both public key and MFA for login.
- Restart the SSH Service:
  
  Apply the changes by restarting the SSH service:
```
bash
sudo systemctl restart sshd
```

For a detailed guide on setting up MFA using the Google Authenticator PAM module, refer to Red Hat's official documentation.

Red Hat

Option 2: Using the Authenticator Application via Snap

An alternative is to install the "Authenticator" application, which is available as a Snap package and can manage TOTP tokens. Here's how to install it:

Enable Snap Support on RHEL 9:

Ensure that the EPEL repository is enabled:
```
bash
sudo dnf install epel-release
```
Install Snapd:
```
bash
sudo dnf install snapd
```
Enable and start the Snapd service:
```
bash
sudo systemctl enable --now snapd.socket
```
Create a symbolic link to enable classic Snap support:
```
bash
sudo ln -s /var/lib/snapd/snap /snap
```
Restart your system or log out and back in to ensure the Snap paths are updated.
Install the Authenticator Application:

Install the Authenticator app using Snap:
```
bash
sudo snap install authenticator --edge
```

This application can generate TOTP codes compatible with services that support standard authenticator apps.

Snapcraft

Note: The availability and compatibility of these methods may vary depending on your organization's security policies and the specific services you're accessing. Always ensure that any changes to authentication mechanisms comply with your organization's security guidelines.

Monday, February 24, 2025

How To Automount NFS Share in Linux Using Autofs

In this tutorial, we will show you how to Automount NFS share in Linux using Autofs.

Network File System (NFS) is a robust way to share directories across systems, enabling seamless access to files. However, manually mounting NFS shares can be tedious, especially when managing multiple systems. This is where autofs, a dynamic automounting tool, shines. Autofs automatically mounts NFS shares when accessed and unmounts them when idle, saving system resources.

Prerequisites

A working NFS server with shared directories.
A Linux client machine (tested on Debian 12, RHEL 9).
Sudo or root access on the client machine.

Autofs service reads two files Master map file ( /etc/auto.master ) and a map file like /etc/auto.misc or /etc/auto.xxxx.

In ‘/etc/auto.master’ file we have three different fields :

/<Mount-Point>     <Map-file>     <Timeout-Value>

In map file (/etc/auto.misc or /etc/auto.xxxx) also we have three different fields:

<Mount-Point>    <Mount-Options>        <Location_of_File System>

In this tutorial, we will demonstrate how to mount an NFS share using autofs. The NFS share /var/nfs_share is exported from an Ubuntu 24.04 NFS server with the IP address 192.168.1.11. We will mount this NFS share on both RHEL 9 and Debian 12 or Ubuntu 24.04 Linux systems using autofs.

Mount nfs share using Autofs in RHEL 9

1) Install autofs package

Install the autofs package using below yum command if it is not installed.

$ sudo rpm -q autofs
package autofs is not installed
$ sudo dnf install autofs

2) Edit the Master map file (/etc/auto.master )

Add the following line .

$ sudo vi /etc/auto.master
/dbstuff  /etc/auto.nfsdb  --timeout=180

Note : Mount point ‘/dbstuff’‘ must exist on your system. If not then create a directory ‘mkdir /dbstuff‘. NFS Share will automatically umount after 180 seconds or 3 minutes if don’t perform any action on the share.

3) Create a map file ‘/etc/auto.nfsdb’

Create a map file and add the following line.

$ sudo vi /etc/auto.nfsdb
db_backup -fstype=nfs,rw,soft,intr 192.168.1.11:/var/nfs_share

Save and exit the file.

Where :

db_backup is a mount point.
-fstype=nfs is the file system type & ‘rw,soft,intr’ are mount options.
‘192.168.1.11:/var/nfs_share’ is nfs share location.

4) Start the auotfs service

$ sudo systemctl restart autofs.service
$ sudo systemctl enable autofs.service

5) Try to access the mount point

Mount point of nfs share will be ‘/dbstuff/db_backup‘. When we try access the mount point then autofs service will mount nfs share automatically as shown below:

Mount NFS share using autofs in Debian 12 / Ubuntu 24.04

1) Install the autofs package using apt command

$ sudo apt update && sudo apt install autofs -y

2) Edit the Master Map file ‘/etc/auto.master’

Add the following line in the master map file.

$ sudo vi /etc/auto.master
/dbstuff   /etc/auto.nfsdb   --timeout=180

Save & exit the file.

Create the mount point.

$ sudo mkdir /dbstuff

3) Create a map file ‘/etc/auto.nfsdb’

Add the following line in the map file.

$ sudo vi /etc/auto.nfsdb
db_backup   -fstype=nfs4,rw,soft,intr   192.168.1.11:/var/nfs_share

4) Start the autofs service

$ sudo systemctl restart autofs && sudo systemctl enable autofs

5) Try to access the mount point

Perfect, above confirms that NFS share has been mount automatically via autofs.

That’s all from tutorial, I hope you have found it useful and informative, feel free to post your queries and feedback in below comments section.

Friday, January 31, 2025

How to Install and Log In to Windows 11 Without a Microsoft Account

By default, you must log in with a Microsoft account in order to install Windows 11 and go through the box (OOBE) setup process that triggers either as part of installation or the first time you turn on a new Windows PC. It seems like Microsoft really wants you to log in to Windows 11 using its account system, both so it can track you and so you can get benefits such as synchronizing your wallpaper and preferences across different computers.

However, there are many reasons why you would want to install Windows 11 using a local account only. Maybe you want to install Windows 11 with a local (non-Microsoft) account because you are installing the OS on a child's PC or on a PC that you plan to sell, give to a friend or donate to a charity (without giving other people access to personal data). Or perhaps you just like your privacy and don't want to create an account with Microsoft in the first place.

Whatever your reason for doing so, it's easy to install or set up Windows 11 without using a Microsoft account. Below, we'll show you two methods: the first involves issuing some commands during the install / OOBE process. The second, which only works for a clean install, requires you to create a modified USB install disk using a free tool called Rufus. We've tested these methods on the latest major Windows 11 version, 24H2, and they work.

How to Install Windows 11 Without a Microsoft Account

There's a simple trick for setting up Windows 11 with a local account that involves issuing a command to keep the OOBE from requiring Internet and then cutting off Internet at just the right time in the setup process. This works the same way whether you are doing a clean install of Windows 11 or following the OOBE process on a store-bought computer

1. Follow the Windows 11 install process until you get to the "choose a country" screen.

Now's the time to cut off the Internet. However, before you do, you need to issue a command that prevents Windows 11 from forcing you to have an Internet connection.

2. Hit Shift + F10. A command prompt appears.

3. Type OOBE\BYPASSNRO to disable the Internet connection requirement.

The computer will reboot and return you to this screen.

4. Hit Shift + F10 again and this time Type ipconfig /release. Then hit Enter to disable the Internet. This effectively disconnects your computer from the Internet. If you're on Ethernet, you could just disconnect the plug, but this is just as easy if not easier.