Using MFA for Sudo Only

  • Post by Mike Dixson
  • Nov 17, 2020
post-thumb

Passwords are weak, we know this and so often methods such as key based authentication is used for connections like SSH. However once SSH’d in to the system using a password to elevate to root seems like a weak point just where you want to be more secure.

# sudo apt-get install libpam-google-authenticator
# sudo google-authenticator

This will then prompt you with a number of choices. The first you should answer yes to enable TOTP.

To enable MFA codes to be used for authentication for sudo add the following line to /etc/pam.d/sudo just before the @ includes.

# nano /etc/pam.d/sudo
Comment out these lines:
#@include common-auth
#@include common-account
#@include common-session-noninteractive

And add these
auth       required pam_google_authenticator.so nullok
auth       required pam_permit.so

Once set up and tested you can disable the password on your account using

# passwd -l

Make sure you think thru the possible scenarios for using this technology and securely take a copy of your backup keys incase you lose your MFA device etc.

You can remove the nullok once all users have been set up with a secret key via google-authenticator.

Image Source: Pincode login Icon by Chanut Is Industries

LATEST POST
  • Post By Mike Dixson
  • Nov 17, 2020
Using MFA for Sudo Only
  • Post By Mike Dixson
  • Jul 25, 2020
Fixed: Obelisk not working in Ableton Live
  • Post By Mike Dixson
  • Jun 15, 2020
BYOBU files being flagged by rkhunter
TAG