Enforcing SSH-MFA Two-Factor Authentication

How-to enforce Multifactor Authentication when someone uses SSH to access a server or container protected by ZeroLock®.

    Ensuring usage of SSH-MFA two-factor authentication, requires a multi-step process simplified by the ZeroLock® Management Console (ZMC).

    Create and Add a New Rule

    1. In the ZeroLock Management Console (ZMC) go to the Control Policies | Rules page then click Actions | Add New Rule
      Policy Rules Add Rule Numbered 2.0.1

    2. On the Add New Rule screen, complete the items using the table below.  When done click CREATE.

      Rule Name  

      Authenticate all SSH connections


      This rule will force SSH MFA for all assigned Endpoints

      Rule Type


      IP Address

      Leave as default


      Leave as default


      Leave as default



    Create a New Control Policy 

    1. As shown below, go to the Control Policies | Policies page and click Add New Policy. 
      Policies_Add New Policy 2.0.1

    2. Using the table, complete the required entries.   


      Force SSH Authentication


      This policy will force SSH authentication to all assigned endpoints.

      Add Rules

      Clicking the Add Rules button brings up the Policy Rules screen.

    3. Scroll down until you locate the newly created rule, Authenticate all SSH connections, and click the checkbox to select it. 
      Authenticate All SSH Connections 2.0.1

    4. Next, click the Add Selected button which returns you to New Policy screen and select CREATE.
      Add new Rule 119 2.0.1 Add Selected

    Create a New Endpoint Configuration Profile

    1. Go to the System Configuration | Config Profiles page and click Add New Profile.
      New Endpoint Config Profile 2.0.1

    2. Using the table, complete the required entries. 


      Force SSH MFA and default settings


      This configuration restricts authentication while using all other defaults.

      Default Control Policy

      Force SSH Authentication

    3. Click the CREATE button.
      Froce SSH New Config Profile 2.0.1


    Assign the Configuration Profile to an Endpoint

    1. Select Endpoints from the menu then the endpoint(s) to which you want to assign the new configuration policy. Click on the Actions drop-down and select Set Endpoint Config(s).
      Assign Config Profile to Endpoint 2.0.1

    2. Select the new configuration: Force SSH MFA and default settings and click Set Configs.

    3. From the Endpoints screen you should be able to see the assigned Profile.
      Profile Assigned 2.0.1

    Test the SSH MFA Authentication Configuration

    Attempt to SSH to the assigned endpoint and verify that the two-factor authentication is working.