Installing and configuring required packages
Installing the Google Authenticator PAM module
Start a terminal session and type:
sudo apt install libpam-google-authenticator
Configuring SSH
To make SSH use the Google Authenticator PAM module, add the following line to the /etc/pam.d/sshd file:
auth required pam_google_authenticator.so
Now you need to restart the sshd daemon using:
sudo systemctl restart sshd.service
Modify /etc/ssh/sshd_config – change ChallengeResponseAuthentication from no to yes, so this part of the file looks like this:
Change to yes to enable challenge-response passwords (beware issues with
some PAM modules and threads)
ChallengeResponseAuthentication no # CHANGE THIS TO YES
Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
Configuring authentication
In a terminal, run the google-authenticator command.
It will ask you a series of questions, here is a recommended configuration:
- Make tokens “time-base””: yes
- Update the
.google_authenticator file: yes - Disallow multiple uses: yes
- Increase the original generation time limit: no
- Enable rate-limiting: yes
2FA with cockpit
Add at the end of the file /etc/pam.d/cockpit
auth required pam_google_authenticator.so nullok
then restart cockpit
systemctl restart cockpit