What to do when 2FA won't allow you into your Linux servers

3 years ago 325

If two-factor authentication logins on your Linux servers are giving you fits, Jack Wallen has the solution for you.

Recently, I had an incident where a two-factor authentication-enabled Linux server wouldn't allow me in via SSH. Fortunately, I had physical access to the server, so it wasn't a complete disaster. Had I not been able to log into the machine on site, I would have had to count on someone on-premise to take care of the situation. In some cases, that would not do.

SEE: 5 Linux server distributions you should be using (TechRepublic Premium)

It didn't take me long to figure out what the problem was, and it's an issue that is probably more rampant than you think. Once I solved the issue, everything was good to go, and I was able to log back in, via SSH.

The problem, you see, is all about time. Or, in the case of this server, the wrong time. 2FA codes are time-sensitive, so they rely on the server and the app you're using to generate the codes being in sync with regards to time. If either server or device displays the wrong time, chances are pretty good 2FA will not allow you access. More often than not, the issue lies on the server side.

To that end, what do you do? It's quite simple. Let me show you.

What you'll need: The only thing you need to make this fix is a user with sudo privileges. That's it, let's correct that server's time.

How to set the time zone on a Linux server

This is where the most common problem lies. Unless you set the timezone properly during the installation of the operating system, it's likely to be incorrect. How do you fix it? Open a terminal on your Linux server and issue the command:

timedatectl

The output of the above command will not only list the machine's configured time zone, but the local time, universal time, RTC time, if the system clock is synchronized, and if the NTP service is active.

The first thing we need to do is correct the time zone (if it is incorrect). To do that, you must know how the system displays timezones. For that, issue the command:

timedatectl list-timezones

Search through the output to find your time zone. It will be listed as:

Country/State/City

If a state only has a single timezone, it will be listed as:

Country/State

Once you know your full time zone, you can set it with the command:

sudo timedatectl set-timezone TIMEZONE

Where TIMEZONE is your full timezone.

How to set the time on a Linux server

Your best bet with setting the time is using NTP, as this will automatically keep your time in sync. How you do this will depend on the distribution you use for your servers. For RHEL-based servers (such as AlmaLinux and Rocky Linux), you install chrony with the command:

sudo dnf install chrony -y

For an Ubuntu-based server, you install ntp with the command:

sudo apt-get install ntp -y

Enable chrony with the commands:

sudo systemctl start chronyd sudo systemctl enable chronyd

Enable ntp with the commands:

sudo systemctl start ntp sudo systemctl enable ntp

Give the system a minute or so to sync, and your time should be correct (check it with the date command). You should now be able to log into those servers with 2FA.

Hopefully, this solved your SSH/2FA login issues. It should, as probably 90% of 2FA login issues are centered around out-of-sync clocks on the server end. And although your clock might have been correct when you first setup 2FA, if you're not using an automatic time-sync daemon and your time zone was incorrect, that server will suffer from time drift, and eventually 2FA will not allow you in.