Last updated on August 13, 2025
Overview of MFA for SSH on Linux
Supported Systems
Supported Authentication Methods
Network Diagram
Known Limitations
Before You Start
Create an Application in the Rublon Admin Console
Install Rublon Authenticator
Installing Rublon MFA for Linux SSH
sudo dpkg -i <package_name>
sudo yum install <package_name>
sudo zypper install <package_name>
Note
Updating the Configuration File
/etc/rublon.config
Per-Service Overrides
Since version 2.3.2, the connector can read module arguments (Rublon options) defined directly in PAM service files (for example, /etc/pam.d/sshd, /etc/pam.d/sudo, /etc/pam.d/su).
When present, arguments defined in these files override the corresponding settings from /etc/rublon.config for that specific PAM service only.
This overriding ability lets you keep a global baseline in /etc/rublon.config and apply stricter or different behavior per service (e.g., stronger security on sshd, different UX for sudo).
Example – force non-interactive mode only for SSH:
In /etc/pam.d/sshd, append the Rublon options you want for SSH after the mention of the pam_rublon.so module:
auth sufficient pam_rublon.so nonInteractiveMode=true
SSH logins will use nonInteractiveMode=true, while other services (e.g., sudo, su) will continue to use the value from /etc/rublon.config unless you also override them in their own PAM files. This follows standard Linux-PAM semantics: each file under /etc/pam.d/ is a per-service policy where you can pass module-specific arguments.
Modifying the SUDO Service Configuration
Debian and Ubuntu
@include common-auth
#@include common-auth
auth required pam_env.so
auth requisite pam_unix.so
auth sufficient pam_rublon.so
auth required pam_deny.so
Note: Starting from version 2.3.2 of the connector, arguments supplied to pam_rublon.so in this file take precedence over the same options in /etc/rublon.config for this service only. Simply append the arguments to be overridden after line auth sufficient pam_rublon.so. More information: Per-Service Overrides.
CentOS and RHEL
auth include system-auth
#auth include system-auth
auth required pam_env.so
auth requisite pam_unix.so
auth sufficient pam_rublon.so
auth required pam_deny.so
Note: Starting from version 2.3.2 of the connector, arguments supplied to pam_rublon.so in this file take precedence over the same options in /etc/rublon.config for this service only. Simply append the arguments to be overridden after line auth sufficient pam_rublon.so. More information: Per-Service Overrides.
Modifying the SU Service Configuration
Debian and Ubuntu
@include common-auth
#@include common-auth
auth required pam_env.so
auth requisite pam_unix.so
auth sufficient pam_rublon.so
auth required pam_deny.so
Note: Starting from version 2.3.2 of the connector, arguments supplied to pam_rublon.so in this file take precedence over the same options in /etc/rublon.config for this service only. Simply append the arguments to be overridden after line auth sufficient pam_rublon.so. More information: Per-Service Overrides.
CentOS and RHEL
auth substack system-auth
#auth substack system-auth
auth required pam_env.so
auth requisite pam_unix.so
auth sufficient pam_rublon.so
auth required pam_deny.so
Note: Starting from version 2.3.2 of the connector, arguments supplied to pam_rublon.so in this file take precedence over the same options in /etc/rublon.config for this service only. Simply append the arguments to be overridden after line auth sufficient pam_rublon.so. More information: Per-Service Overrides.
Enable Rublon MFA for SSH Key Authentication (Optional)
sudo sh /usr/share/rublon/inst_pubkey.sh
sudo sh /usr/share/rublon/inst_pubkey_rhel_8.sh
sudo sh /usr/share/rublon/inst_pubkey_rhel_9.sh
Auto Push – Use Case
SCP command example

Updating Rublon MFA for Linux SSH
Uninstalling Rublon MFA for Linux SSH
sudo apt purge rublon-ssh-pam
sudo yum remove rublon-ssh
sudo zypper remove rublon-ssh
Note
Troubleshooting
Uninstallation and Post-Uninstallation Issues
auth required pam_rublon.so
account required pam_rublon.so
Known Issue with Uninstalling version 2.1.X on RHEL 9

SSH Key Authentication Troubleshooting
UsePAM yes
LoginGraceTime 15m
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
MaxAuthTries 3
PubkeyAuthentication yes
PasswordAuthentication no
auth requisite pam_rublon.so
account required pam_rublon.so
#@include common-auth
auth required pam_rublon.so
#auth substack password-auth
service sshd status
systemctl status sshd
General Issues
ChallengeResponseAuthentication yes
UsePAM yes
PasswordAuthentication yes
Tip