Microsoft does not provide a native version of the Microsoft Authenticator application for Red Hat Enterprise Linux (RHEL) 9 or any other Linux distribution. However, you can implement multi-factor authentication (MFA) on your RHEL 9 system using alternative methods that are compatible with standard authenticator apps, including Microsoft Authenticator.
Option 1: Using the Google Authenticator PAM Module
The Google Authenticator Pluggable Authentication Module (PAM) allows you to set up time-based one-time password (TOTP) authentication on your Linux system. These TOTP codes can be generated by various authenticator apps, including Microsoft Authenticator. Here's how to set it up:
-
Install the Google Authenticator PAM Module:
First, ensure that the Extra Packages for Enterprise Linux (EPEL) repository is enabled:
bashsudo dnf install epel-releaseThen, install the
google-authenticatorpackage:bashsudo dnf install google-authenticator -
Configure the Google Authenticator for Your User Account:
Run the following command to set up Google Authenticator for your user account:
bashgoogle-authenticatorYou'll be prompted with a series of questions. It's generally safe to answer 'yes' (y) to each prompt. This process will generate a QR code and a secret key.
-
Set Up the Authenticator App:
Open the Microsoft Authenticator app on your smartphone, select the option to add a new account, and choose the "Other" account type. Scan the QR code displayed during the
google-authenticatorsetup or manually enter the secret key. -
Configure SSH to Require MFA:
To enforce MFA for SSH logins, you'll need to modify the PAM and SSH configurations:
-
Edit the PAM Configuration for SSH:
Open the SSH PAM configuration file:
bashsudo nano /etc/pam.d/sshdAdd the following line at the end of the file:
swiftauth required pam_google_authenticator.so nullokThe
nullokoption allows users who haven't set up MFA to log in without it. Remove this option to enforce MFA for all users. -
Modify the SSH Daemon Configuration:
Edit the SSH daemon configuration file:
bashsudo nano /etc/ssh/sshd_configEnsure the following settings are configured:
nginxChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactiveThese settings enable challenge-response authentication and require both public key and MFA for login.
-
Restart the SSH Service:
Apply the changes by restarting the SSH service:
bashsudo systemctl restart sshd
-
For a detailed guide on setting up MFA using the Google Authenticator PAM module, refer to Red Hat's official documentation.
Option 2: Using the Authenticator Application via Snap
An alternative is to install the "Authenticator" application, which is available as a Snap package and can manage TOTP tokens. Here's how to install it:
-
Enable Snap Support on RHEL 9:
Ensure that the EPEL repository is enabled:
bashsudo dnf install epel-releaseInstall Snapd:
bashsudo dnf install snapdEnable and start the Snapd service:
bashsudo systemctl enable --now snapd.socketCreate a symbolic link to enable classic Snap support:
bashsudo ln -s /var/lib/snapd/snap /snapRestart your system or log out and back in to ensure the Snap paths are updated.
-
Install the Authenticator Application:
Install the Authenticator app using Snap:
bashsudo snap install authenticator --edge
This application can generate TOTP codes compatible with services that support standard authenticator apps.
Note: The availability and compatibility of these methods may vary depending on your organization's security policies and the specific services you're accessing. Always ensure that any changes to authentication mechanisms comply with your organization's security guidelines.
