Integrations · Linux & infrastructure

MFA at the command line.

SSH is the front door to your infrastructure, and admin accounts are the first target. Mideye adds a second factor to SSH, sudo, and console logins through standard PAM and RADIUS, with nothing installed beyond the PAM module.

  • Standard PAM + RADIUS
  • SSH, sudo, console
  • Air-gapped option

Integration patterns

Three ways to wire it up.

All three use the same standard components: the PAM RADIUS module on the host, and the Mideye Server as the RADIUS authentication server.

Direct per host

  • PAM RADIUS module points at the Mideye Server
  • Protects SSH, sudo, and console via PAM
  • Simplest setup for a handful of hosts
Linux PAM guide

Central FreeRADIUS proxy

  • Hosts authenticate against one proxy
  • Proxy forwards to the Mideye Server
  • Scales to large fleets with one integration point

Network infrastructure

  • Switches, routers, and appliance admin logins
  • Anything with a RADIUS authentication option
  • Same Mideye Server, same user directory
RADIUS reference

Privileged access

Built for admin accounts.

Regulators are looking at your SSH logins.

NIS2 expects strong authentication on remote and privileged access, and SSH to production servers is both. Mideye covers it with individually approved logins, and Assisted Login adds four-eyes approval where a single admin should not act alone. See the compliance mapping for the full picture.

FAQ

Frequently asked questions.

How do I add MFA to SSH logins?

Configure the PAM RADIUS module on the host and point it at the Mideye Server. SSH password logins then require a second factor: a Mideye+ push, an SMS one-time code, or a hardware-token OTP. The same PAM stack covers sudo and console logins if you want them protected too.

Does Linux MFA work with SSH keys?

PAM-based MFA applies to PAM-backed authentication such as passwords and keyboard-interactive logins. Pure public-key logins bypass PAM authentication by default; sshd can be configured to require both the key and a PAM-based second factor for a belt-and-braces setup.

Can I protect many Linux hosts without configuring each one?

Yes. A common pattern is a central FreeRADIUS proxy: hosts point their PAM RADIUS module at the proxy, and the proxy forwards authentication to the Mideye Server. One integration point, any number of hosts.

Protect your infrastructure logins.

From a single bastion host to a full fleet behind a FreeRADIUS proxy, we will map the setup with your team.