Using MFA for Sudo Only

Passwords are weak, we know this and so often methods such as key based authentication is used for connections like SSH. However once SSH’d in to the system using a password to elevate to root seems like a weak point just where you want to be more secure.

# sudo apt-get install libpam-google-authenticator
# sudo google-authenticator

This will then prompt you with a number of choices. The first you should answer yes to enable TOTP.

To enable MFA codes to be used for authentication for sudo add the following line to /etc/pam.d/sudo just before the @ includes.

# nano /etc/pam.d/sudo
Comment out these lines:
#@include common-auth
#@include common-account
#@include common-session-noninteractive

And add these
auth       required pam_google_authenticator.so nullok
auth       required pam_permit.so

Once set up and tested you can disable the password on your account using

# passwd -l

Make sure you think thru the possible scenarios for using this technology and securely take a copy of your backup keys incase you lose your MFA device etc.

You can remove the nullok once all users have been set up with a secret key via google-authenticator

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.