Using MFA for Sudo Only

  • Post by Mike Dixson
  • Nov 17, 2020

Passwords are weak, we know this and so often methods such as key based authentication is used for connections like SSH. However once SSH’d in to the system using a password to elevate to root seems like a weak point just where you want to be more secure.

# sudo apt-get install libpam-google-authenticator
# sudo google-authenticator

This will then prompt you with a number of choices. The first you should answer yes to enable TOTP.

To enable MFA codes to be used for authentication for sudo add the following line to /etc/pam.d/sudo just before the @ includes.

# nano /etc/pam.d/sudo
Comment out these lines:
#@include common-auth
#@include common-account
#@include common-session-noninteractive

And add these
auth       required nullok
auth       required

Once set up and tested you can disable the password on your account using

# passwd -l

Make sure you think thru the possible scenarios for using this technology and securely take a copy of your backup keys incase you lose your MFA device etc.

You can remove the nullok once all users have been set up with a secret key via google-authenticator.

Image Source: Pincode login Icon by Chanut Is Industries

  • Post By Mike Dixson
  • Nov 17, 2020
Using MFA for Sudo Only
  • Post By Mike Dixson
  • Jul 25, 2020
Fixed: Obelisk not working in Ableton Live
  • Post By Mike Dixson
  • Jun 15, 2020
BYOBU files being flagged by rkhunter