Sudo Two-Factor Authentication¶

Two factor authentication for Sudo access gives you an awesome security enhancement so that a hacker still will not be able to use sudo, i.e. admin privileges, even if they have discovered your password.

This can be done using PAM (Pluggable Authentication Modules).

Install libpam-google-authenticator.

sudo apt update
sudo apt install libpam-google-authenticator

Set up Google Authenticator

google-authenticator

yes to time based tokens.
Scan the QR code with your prefered authenticator app.
Save the emergency backup codes in a secure place.

Edit the PAM configuration for sudo.

sudo nano /etc/pam.d/sudo

Add the following line at the top (before any other auth lines)

auth required pam_google_authenticator.so

Test the setup

sudo ls

Note, if you want 2FA with cockpit. Do the same thing to that file:

sudo nano /etc/pam.d/cockpit

Add the following line at the top (before any other auth lines)

auth required pam_google_authenticator.so

Sudo Two-Factor Authentication¶

Comments