Rublon

Secure Remote Access

By

Last updated on March 27, 2026

Overview of MFA for SSH on Linux

Rublon MFA for SSH (Linux) integrates with Linux Desktop and Server distributions like Debian and Ubuntu to add Multi-Factor Authentication (MFA) to every remote or local SSH login using a PAM module.

Supported Systems

  • Debian (11, 12)
  • Ubuntu (18.04, 20.04, 22.04, 24.04)
  • Red Hat / CentOS / Alma / Rocky (8, 9) / Oracle Linux (8, 9)
  • openSUSE Leap / SUSE Linux Enterprise Server 15 SP3*

* Rublon for SSH is not compatible with SUSE Linux Enterprise Server 11 and 12 due to their outdated versions of GCC. If this is a requirement for you, contact Rublon Support.

Minimum Hardware Requirements:

  • 1 CPU core
  • 10 MB free disk space
  • 10 MB RAM

Note: The connector itself uses only a small amount of CPU and typically consumes tens of kilobytes of memory during operation. The figures above include additional runtime overhead required by the application, shared libraries, and system environment.

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push N/A
FIDO N/A
Passcode N/A
SMS Passcode N/A
SMS Link N/A
Phone Call N/A
QR Code N/A
Email Link N/A
YubiKey OTP N/A
RFID N/A

Demo Video

YouTube player

Network Diagram

  1. Initiate the SSH connection.
  2. Perform the first factor of authentication using your primary authentication source.
  3. The Rublon for Linux SSH connector establishes a connection to the Rublon API over TCP port 443.
  4. Perform the second factor of authentication using Rublon MFA.
  5. The Rublon for Linux SSH connector receives the authentication result.
  6. Access to the SSH session is granted.

Known Limitations

  • If a user has enrolled multiple Phones, only the MFA methods available for the Phone that was selected as default are displayed in the SSH connector. There is no option to switch to another Phone.
  • After enrolling a Phone Number for SMS authentication or enrolling the Rublon Authenticator app, the system prioritizes one of these authenticators over the other. In certain circumstances, the authentication methods associated with the former authenticator may become unavailable in the SSH interface.

Before You Start

Create an Application in the Rublon Admin Console

1. Sign up for the Rublon Admin Console. Here’s how.

2. In the Rublon Admin Console, go to the Applications tab and click Add Application

3. Enter a name for your application (e.g., Linux SSH) and then set the type to Linux SSH.

4. Click Save to add the new application in the Rublon Admin Console.

5. Copy and save the values of the System Token and Secret Key. You are going to need these values later.

Install Rublon Authenticator

Some end-users will install the Rublon Authenticator mobile app. So, as a person configuring MFA for Linux SSH, we highly recommend you install the Rublon Authenticator mobile app, too. Thanks to that, you will be able to test MFA for Linux SSH via Mobile Push.

Download the Rublon Authenticator for:

Installing Rublon MFA for Linux SSH

1. Download the package for your Linux distribution.

2. Install the package.

Ubuntu & Debian:

For Ubuntu (20.04, 22.04, 24.04) and Debian (11, 12), use:

sudo dpkg -i <package_name>

RHEL, AlmaLinux, Rocky Linux, Oracle Linux & CentOS:

Use the following installation command:

sudo yum install <package_name>

openSUSE Leap / SUSE Linux Enterprise Server 15 SP3:

sudo zypper install <package_name>

Note

You can use the rpm -i <package_name> command instead, but keep in mind that this command performs a check to determine if the policycoreutils-python-utils package is already installed. If the package is not installed, the installation of the module will not end successfully and you will have to install it manually using the sudo yum install -y policycoreutils-python-utils command before trying rpm -i again.

In contrast, if you use yum install, a check will be performed and in case the policycoreutils-python-utils package is not found, it will be automatically installed along with Rublon for Linux. For that reason, we recommend you use the yum install command to install Rublon MFA for Linux on RHEL and CentOS distributions.

3. Edit the rublon.config file using the nano /etc/rublon.config command and then:

  • Paste the values of the System Token and Secret Key from the application with the type Linux SSH added in the Applications tab of the Rublon Admin Console that you have copied before.
  • Adjust other options according to your preferences or leave the default values. Refer to Updating the Configuration File for more information about each option.

4. Manually adjust the SUDO service configuration and SU service configuration.

5. Optionally enable Rublon MFA for SSH Key Authentication or enable Rublon MFA for Active Directory.

Updating the Configuration File

The Rublon for Linux SSH connector uses the rublon.config configuration file, which contains the necessary and optional options for Rublon MFA for Linux SSH authentication.

The configuration file is located in the following location:

/etc/rublon.config
OptionDescription
systemTokenThe System Token of the application with the type Linux SSH added in the Applications tab of the Rublon Admin Console
secretKeyThe Secret Key of the application with the type Linux SSH added in the Applications tab of the Rublon Admin Console
rublonApiServerThe URL of the Rublon API.

Default: http://core.rublon.net
failModeEither “bypass” or “deny”. This option allows you to set what should happen in case of configuration errors or when the Rublon API is unreachable.

Default: “bypass”
promptThis option allows you to define the maximum number of authentication prompts displayed before access is denied. You can set this value to 1, 2, or 3. For the Default Authentication Method, such as Auto Push, it is recommended to set this option to 1 for optimal security.

Default: 1
loggingWhen set to “true”, this option allows the saving of event logs from the pam_rublon module to a file located under /var/log/rublon-ssh.log.

Default: “true”
autopushPromptIf the Default Authentication Method is set to Mobile Push and the autopushPrompt option is set to true, then every time your users choose the Mobile Push authentication method when logging in, they will be informed a push notification has been sent to their phone.

Default: “false”
nonInteractiveModeWhen set to “true”, the connector operates in a completely non-interactive mode. Instead of prompting the user to select an authentication method, it automatically chooses the first supported method by sequentially attempting methods in the following order: Push, Email, SMS Link, and Phone Call.

Default: “false”
proxyEnabledWhen set to “true”, enables proxy. When enabled, one of the following conditions must be met:

1. proxyType and proxyHost (plus optional proxyPort) are provided, or

2. Standard environment variables (e.g., HTTP_PROXY) are already set on the host OS.

If both are present, the explicit settings in this file override the environment variables.

Default: “false”
proxyTypeThe protocol or scheme that the proxy speaks.

Supported values:

HTTP – plain HTTP tunnel

Required if proxyEnabled is set to “true” and the client is not relying on environment variables.
proxyHostHostname or IP address of the proxy server.

Required when proxyEnabled is set to “true” and the client is not relying on environment variables.
proxyPortTCP port on which the proxy listens.

If omitted, the connector falls back to common defaults (HTTP = 8080).
proxyAuthRequiredWhen set to “true”, the proxy expects credentialed (Basic) authentication.

If enabled, both proxyUsername and proxyPassword must be provided.

Default: “false”
proxyUsernameUsername used for proxy authentication.

Required only when proxyAuthRequired is set to “true”.
proxyPasswordThe password of the proxy server user.

Required only when proxyAuthRequired is set to “true”.

Per-Service Overrides

Since version 2.3.2, the connector can read module arguments (Rublon options) defined directly in PAM service files (for example, /etc/pam.d/sshd, /etc/pam.d/sudo, /etc/pam.d/su).

When present, arguments defined in these files override the corresponding settings from /etc/rublon.config for that specific PAM service only.

This overriding ability lets you keep a global baseline in /etc/rublon.config and apply stricter or different behavior per service (e.g., stronger security on sshd, different UX for sudo).

Example – force non-interactive mode only for SSH:

In /etc/pam.d/sshd, append the Rublon options you want for SSH after the mention of the pam_rublon.so module:

auth  sufficient  pam_rublon.so  nonInteractiveMode=true

SSH logins will use nonInteractiveMode=true, while other services (e.g., sudo, su) will continue to use the value from /etc/rublon.config unless you also override them in their own PAM files. This follows standard Linux-PAM semantics: each file under /etc/pam.d/ is a per-service policy where you can pass module-specific arguments.

Modifying the SUDO Service Configuration

To use the Rublon PAM module, various configuration files related to the sudo service have to be modified.

We recommend you leave at least one root shell session active and open while making any changes to your PAM configuration to prevent accidentally locking yourself out.

Debian and Ubuntu

Edit the /etc/pam.d/sudo file. Change entry:

@include common-auth

To:

#@include common-auth
auth required pam_env.so
auth requisite pam_unix.so
auth sufficient pam_rublon.so
auth required pam_deny.so

Note: Starting from version 2.3.2 of the connector, arguments supplied to pam_rublon.so in this file take precedence over the same options in /etc/rublon.config for this service only. Simply append the arguments to be overridden after line auth sufficient pam_rublon.so. More information: Per-Service Overrides.

CentOS and RHEL

Edit the /etc/pam.d/sudo file. Change entry:

auth include system-auth

To:

#auth include system-auth
auth required pam_env.so
auth requisite pam_unix.so
auth sufficient pam_rublon.so
auth required pam_deny.so

Note: Starting from version 2.3.2 of the connector, arguments supplied to pam_rublon.so in this file take precedence over the same options in /etc/rublon.config for this service only. Simply append the arguments to be overridden after line auth sufficient pam_rublon.so. More information: Per-Service Overrides.

Modifying the SU Service Configuration

To use the Rublon PAM module, various configuration files related to the su service have to be modified.

We recommend you leave at least one root shell session active and open while making any changes to your PAM configuration to prevent accidentally locking yourself out.

Debian and Ubuntu

Edit the /etc/pam.d/su file. Change entry:

@include common-auth

To:

#@include common-auth
auth required pam_env.so
auth requisite pam_unix.so
auth sufficient pam_rublon.so
auth required pam_deny.so

Note: Starting from version 2.3.2 of the connector, arguments supplied to pam_rublon.so in this file take precedence over the same options in /etc/rublon.config for this service only. Simply append the arguments to be overridden after line auth sufficient pam_rublon.so. More information: Per-Service Overrides.

CentOS and RHEL

Edit the /etc/pam.d/su file. Change entry:

auth substack system-auth

To:

#auth substack system-auth
auth required pam_env.so
auth requisite pam_unix.so
auth sufficient pam_rublon.so
auth required pam_deny.so

Note: Starting from version 2.3.2 of the connector, arguments supplied to pam_rublon.so in this file take precedence over the same options in /etc/rublon.config for this service only. Simply append the arguments to be overridden after line auth sufficient pam_rublon.so. More information: Per-Service Overrides.

Enable Rublon MFA for SSH Key Authentication (Optional)

Enabling SSH key authentication enhances the security of your system by enforcing key-based authentication with Rublon MFA, and disabling the less secure password-based login.

If you do not use SSH key authentication (i.e. skip this section altogether), the Rublon MFA for Linux SSH connector works in the following way:

  • Logging in with a key does not challenge for Rublon MFA.
  • Logging in with a password does challenge for Rublon MFA.

If you use SSH key authentication (i.e. complete all steps from this section), the Rublon MFA for Linux SSH connector works in the following way:

  • Logging in with a key does challenge for Rublon MFA.
  • Logging in with a password is not possible.

We recommend you leave at least one root shell session active and open while making changes to your PAM configuration to prevent accidentally locking yourself out. Additionally, always make sure your PAM configuration works locally before testing it with SSH logins.

To enable MFA when using SSH key-based authentication, you need to configure PAM accordingly. Run one of the following scripts (as root or with sudo), depending on your Linux distribution:

Ubuntu/Debian:

sudo sh /usr/share/rublon/inst_pubkey.sh

RHEL, AlmaLinux, Rocky Linux, Oracle Linux 8 & CentOS 8:

sudo sh /usr/share/rublon/inst_pubkey_rhel_8.sh

RHEL, AlmaLinux, Rocky Linux, Oracle Linux 9 & CentOS 9:

sudo sh /usr/share/rublon/inst_pubkey_rhel_9.sh

These scripts will update your system’s PAM configuration to ensure that Rublon MFA is applied during SSH key authentication.

If you are experiencing issues with your key authentication, refer to SSH Key Authentication Troubleshooting.

Enable Rublon MFA for Active Directory (Optional)

Rublon MFA for Linux SSH is compatible with systems that authenticate users through Active Directory. This includes systems that use modules such as:

  • SSSD (pam_sss.so)
  • Winbind (pam_winbind.so)
  • Other LDAP or identity provider modules

Rublon MFA does not modify or configure your AD integration. The process of joining the Linux host to the domain and enabling AD authentication is entirely managed by your environment and tools (e.g., realm join, SSSD configuration, or Winbind/Samba configuration)

PAM evaluates authentication modules in the order in which they appear. To ensure the standard MFA behavior, where the password challenge comes first, the module responsible for AD authentication must be placed before “auth sufficient pam_rublon.so” in the PAM auth stack.

This means:

  • If your system uses SSSD, ensure that pam_sss.so appears before auth sufficient pam_rublon.so.
  • If your system uses Winbind, ensure that pam_winbind.so appears before auth sufficient pam_rublon_mfa.so.

This ensures that:

  • The system verifies the user’s identity (via AD) first.
  • Rublon MFA is triggered only after successful primary authentication.
  • No additional changes to your AD, SSSD, Winbind, or LDAP configuration are required.

We recommend you leave at least one root shell session active and open while making changes to your PAM configuration to prevent accidentally locking yourself out. Additionally, always make sure your PAM configuration works locally before testing it with SSH logins.

Auto Push – Use Case

When Auto Push is enabled (The Default Authentication Method policy is set to Mobile Push), Rublon will automatically send a Mobile Push to the user’s Rublon Authenticator mobile app. This option is required for using terminal commands such as scp or tools like FileZilla (sftp).

SCP command example

In this scenario, after entering the password, the user accepts the push notification received in the Rublon Authenticator mobile app. The entire process does not display additional messages that appear during standard MFA login via Rublon SSH.

Updating Rublon MFA for Linux SSH

We recommend you leave at least one root shell session active and open while making any changes to your PAM configuration to prevent accidentally locking yourself out.

If you wish to update the Rublon SSH PAM module: 

1. Uninstall Rublon MFA for Linux SSH.

2. Install Rublon MFA for Linux SSH.

Uninstalling Rublon MFA for Linux SSH

1. Remove the PAM file.

For Debian and Ubuntu, use:

sudo apt purge rublon-ssh-pam

For CentOS, AlmaLinux, Rocky Linux, Oracle Linux, and RHEL, use:

sudo yum remove rublon-ssh

For SUSE distributions, use:

sudo zypper remove rublon-ssh

Note

If the package is not found under this name, use the following command to locate the correct name:

yum list | grep rublon

Then, remove the discovered package with:

yum remove <found-package-name>

Troubleshooting

Uninstallation and Post-Uninstallation Issues

If you are experiencing issues when trying to uninstall or after uninstalling the connector, remove or comment out the following lines in /etc/pam.d/sshd (the last two lines in the file):

auth required pam_rublon.so
account required pam_rublon.so

Known Issue with Uninstalling version 2.1.X on RHEL 9

When uninstalling Rublon for Linux SSH version 2.1.X on RHEL 9, the process does not remove the Rublon-specific entries from the /etc/pam.d/sshd file. You must manually remove these lines following the guidance in the Uninstallation and Post-Uninstallation Issues section.

SSH Key Authentication Troubleshooting

If you are experiencing issues with Rublon MFA for SSH key authentication, verify all the steps below. These configurations are necessary for proper integration. If any setting is missing or incorrectly configured, Rublon MFA for SSH key authentication may not function as intended.

1. Check the Rublon SSH configuration file:

  • RHEL 8: /etc/ssh/01-rublon-ssh.conf
  • RHEL 9, Ubuntu, Debian (and others): /etc/ssh/sshd_config.d/01-rublon-ssh.conf

Ensure the file contains the following lines:

UsePAM yes
LoginGraceTime 15m
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
MaxAuthTries 3
PubkeyAuthentication yes
PasswordAuthentication no

2. Check PAM Configuration (/etc/pam.d/sshd):

Debian / Ubuntu:

At the end of the file, ensure these lines are present:

auth  requisite pam_rublon.so
account required pam_rublon.so

Make sure the following line is commented out (prepend # if it’s not already):

#@include common-auth

RHEL / CentOS:

At the end of the file, ensure this line is present:

auth required pam_rublon.so

Comment out (prepend #) the following existing entry if present:

#auth substack password-auth

3. Verify the SSH Service Status:

RHEL / CentOS:

service sshd status

Ubuntu / Debian:

systemctl status sshd

General Issues

If you are experiencing issues, make sure the following settings are set in the 01-rublon-ssh.conf file:

ChallengeResponseAuthentication yes
UsePAM yes
PasswordAuthentication yes

On Ubuntu, Debian, and RHEL 9, the 01-rublon-ssh.conf file is located in /etc/ssh/sshd_config.d/. On RHEL 8, the file is located in /etc/ssh/, so make sure that include /etc/ssh/01-rublon-ssh.conf was added to /etc/ssh/sshd_config.

Tip

The sshd -T command is a useful tool when troubleshooting SSH server issues. When you run this command as the root user (you can become root using the sudo command), it will display the current configuration of your SSH server.

This can be very helpful because it allows you to see all the settings that are currently in effect for your SSH server. If there is a problem with your SSH server, this command can help you identify if a particular setting is causing the issue. For example, you might find that a setting is different from what you expected, which could be the cause of the problem.

Also, note that parameters are lowercase. Take it into consideration when using commands with pattern matching like grep.

If you encounter any issues with your Rublon integration, please contact Rublon Support. Make sure to send us a detailed description of the issue you have experienced, along with screenshots and the /var/log/rublon-ssh.log file.

Related Posts

Rublon MFA for SSH (Linux) – Release Notes

Rublon MFA for SSH (Linux) – Download

Rublon MFA for Veritas NetBackup – Documentation