Creating an SSH-MFA Rule

Enforce Multifactor Authentication when accessing servers or containers protected by ZeroLock®.

    SSH-MFA (Secure Shell Multi-Factor Authentication) allows for restricting SSH access on your ZeroLock protected Linux system and the ability to require two-factor authentication for user connections.

    1. From the ZeroLock® Management Console select Control Policies | Rules.
      Rules Main Screen

    2. Selecting Add New Rule from the drop-down menu opens the following screen.
      Numbered New Policy Rule

    3. The chart below guides you through filling in the necessary information for a new policy rule.


      Enter the name that describes the Rule you are creating. 

      Naming will be helpful as you add Rules to the policy.


      Enter a helpful description.

      Rule Type


      IP Address 

      Adding an IP Address to the rule will check the source IP address that is logging in to a protected system. The IP address may be a single IPV4 or IPV6 address or it may also be an IPV4 or IPV6 CIDR range.

      If you want the source IP address to be ignored for this rule, just put 'ANY' in the field.

      Note:  This is an optional field.


      You may specify that the rule triggers if the user is logging in to the system as a specific Linux user. For example, by specifying the user as 'root' in this field, this rule will trigger when someone attempts to log in as the 'root' user.

      Note:  This is an optional field.


      You can specify a time range and the days for which a rule is effective. The rule will be effective for all days if no days are selected.


      You may optionally specify the start and end date of a rule.


      You must specify the action taken if this rule is triggered. 

      The options are AllowAuthenticate, or Reject.

      • Allow allows the ssh session to continue as normal.
      • Authenticate causes the ssh session to be subject to MFA.
      • Reject terminates the session immediately.
    4. The new SSH-MFA rule rejects any connection attempts on the weekends.

      Reject Create 2.0.1
    5. On selecting Create your new rule is in effect.
      Rule 127 2.0.1

    Congratulations! You have just created a new SSH-MFA rule.