Sunday, 17 November 2024

MFA with Google Authenticator

 Set server up so user can log in with an ssh key or Google authenticator (won't need both). 

If a user doesn't have key access setup they'll have to use Google Authenticator, they won't be able to log in with a password

The user still needs to type the password to log into cockpit

/etc/ssh/sshd_config
ChallengeResponseAuthentication yes
# Uncomment this to force google authenticator AND a public key
#AuthenticationMethods publickey,keyboard-interactive

/etc/pam.d/cockpit
# google authenticator for two-factor
auth  required  pam_google_authenticator.so secret=/home/${USER}/.ssh/.google_authenticator

/etc/pam.d/sshd
#Commented out to not allow passwords
#auth       substack     password-auth
# Use Google authenticator for login
auth       required     pam_google_authenticator.so nullok secret=/home/${USER}/.ssh/.google_authenticator

To setup a user with Google Authenticator make sure to use the -s option
 google-authenticator -s /home/test/.ssh/.google_authenticator