Passwords are weak, we know this and so often methods such as key based authentication is used for connections like SSH. However once SSH’d in to the system using a password to elevate to root seems like a weak point just where you want to be more secure.
# sudo apt-get install libpam-google-authenticator# sudo google-authenticatorThis will then prompt you with a number of choices. The first you should answer yes to enable TOTP.
To enable MFA codes to be used for authentication for sudo add the following line to /etc/pam.d/sudo just before the @ includes.
# nano /etc/pam.d/sudo
Comment out these lines:
#@include common-auth
#@include common-account
#@include common-session-noninteractive
And add these
auth required pam_google_authenticator.so nullok
auth required pam_permit.soOnce set up and tested you can disable the password on your account using
# passwd -lMake sure you think thru the possible scenarios for using this technology and securely take a copy of your backup keys incase you lose your MFA device etc.
You can remove the nullok once all users have been set up with a secret key via google-authenticator.
Image Source: Pincode login Icon by Chanut Is Industries
