Linux Two Factor Authentication


Linux two factor authentication is supported via TRASA PAM (Pluggable Authentication Modules).

TrasaPAM is a PAM module that handle's second factor authentication in *nix systems.



You may require root privilege while setting up trasaPAM.


Keep a separate ssh connection open with root privilege till whole process finishes so that you can always troubleshoot incase configuration goes wrong.

  1. Download TrasaPAM

  2. Unzip files # unzip -d destination_folder


Inside extracted directory, open # vi trasapam.toml and configure with following data:

trasaServerURL = "<address of trasa server>"
serviceID = "<serviceID(copy from service profile)>"
serviceKey = "<serviceKey(copy from service profile)>"
offlineUsers = "<users to allow in case PAM module cannot contact TRASA server>"
insecureSkipVerify = <boolean value. false by default. set true if TRASA server is using self signed TLS certificate. >
  1. Copy config file trasapam.toml to /etc/trasa/config/trasapam.toml

  2. Copy file to /lib/security/ for debian or /lib64/security/in case of centOS.

Configure SSH

Open /etc/ssh/sshd_config file and make sure UsePam yes and ChallengeResponseAuthentication yes is set.

Make trasaPAM PAM aware

  • Open /etc/pam.d/sshd
  • Add auth required for debian or auth required /lib64/security/ in case centOS at the end of the file.


Restart sshd to reload the pam module: $ sudo systemctl restart sshd


$ ssh root@test-machine
$ password:
$ Enter your trasaID:
$ Choose TFA method (enter blank for U2F):