Activate MFA (Multi-Factor-Authentication) for SSH and OpenVPN

What is Multi-Factor-Authentication

MFA is a simple best practice that adds an extra layer of protection on top of your existing OpenSSH key. See

With MFA enabled, when a user connects to bastion-host, they will be validated by their key pair (the first factor - what they know) as well as for an authentication response from their MFA device (the second factor - what they have). Taken together, these multiple factors provide increased security for your environment.


General process

Currently MFA is disabled by default.

When MFA is enabled by root360, MFA is enforced for all users incl. root360 customer service staff and project users. Exceptions are not supported. You need to cross-check with your CI/CD integration to ensure your processes are not disrupted.

Following steps are required to enable full MFA support environment access:

  1. check and accept preconditions

  2. request activation of MFA

  3. activate MFA

Preconditions for MFA

  • BatchMode must be disabled in your SSH client (see

  • MFA token has to be (re-)generate on each provisioning of bastion host instance (e.g. rebuilt of the host)

Request activation of MFA

Request activation of MFA for a dedicated environment via change request at

Activate MFA

As soon as MFA is enforced, SSH login will not work anymore. You may see following message

1 2 3 MFA required, please check our documentation   [projectuser]@[bastionhostIP]: Permission denied (keyboard-interactive).

To activate MFA you have to login to the bastion-host of your environment to port 222 and follow the instructions:

1 $ ssh -p 222 [projectuser]@[bastionhostIP]

You may scan QR code or use verification secret and add it to you virtual device MFA.

Supported Methods

At the moment we support virtual device MFA with TOTP. You may use compatible apps like "Google Authenticator" or "Authy" to manage your virtual MFA.

Related tutorials

Related Components