Skip to main content

Arculix MFA plugin for Linux

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

You can add MFA to Linux through the Arculix MFA plugin. It's easy to deploy, customizable, and secure.


  • Configured Arculix instance and user account with administrative privileges for Arculix.

  • Supported Linux operating system:

    • CentOS / Red Hat Enterprise Linux (RHEL) 7.0+

    • Fedora 34+

    • Debian 10+

    • Ubuntu 20.4+

Add Linux application in Arculix

Add an application in Arculix for Linux.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:


    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, Linux-SSH.


    Set to SSH Plugin [ssh].

    Out of Band Methods 

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests 

    Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

  4. Save your changes.

  5. Open the Linux application again and go to the Advanced tab.

  6. Copy the UID and Secret.

    You will need these values during the configuration section of the Arculix MFA plugin for Linux.


    Treat your UID and Secret code like any sensitive credential. Do not share this with unauthorized individuals or send it in an email.

Install Arculix MFA plugin for Linux

  1. From the Arculix Download Center, download the Arculix MFA plugin for Linux.

    Be sure to download the plugin specific to your Linux operating system.

  2. Upload the plugin files to your Linux machine.

  3. Install the package files specific to your Linux operating system.

Linux configuration

This section provides instructions on how to enable the Arculix MFA plugin on your Linux machine for ssh, su, sudo, and console authentications.

  1. Run the Arculix configurator using the following command:

    sudo pam_arculix_configure
  2. Type 1 to insert the UID and Secret you obtained earlier when creating the Linux application in Arculix.

  3. Re-run the Arculix configurator using the following command:

    sudo pam_arculix_configure
  4. Type the number of a service to which you want enable Arculix MFA. Repeat this for each service that you want to enable.


    Type 2 to enable Arculix MFA for SSH


    Type 3 to enable Arculix MFA for su


    Type 4 to enable Arculix MFA for sudo


    Type 5 to enable Arculix MFA for login


    Type 6 to enable Arculix MFA for gdm-password


    The configurator does not automatically restart the SSH service to prevent any unwanted disconnections. You will need to apply the changes and restart the service in the next step.

  5. Once you've made the changes, apply them to the SSH service using the following command:

    sudo systemctl restart sshd

Test your setup

  1. Connect to your Linux machine via the console or SSH, or try to use su or sudo commands on your Linux box.

  2. After successful authentication, it prompts you to select your preferred Arculix MFA method.

  3. Approve the authentication request in Arculix Mobile.

  4. You are now authenticated in Linux.