2FA via OTP codes in openSUSE Leap 15.5

Discussion in 'all things UNIX' started by reasonablePrivacy, Oct 22, 2023.

  1. reasonablePrivacy

    reasonablePrivacy Registered Member

    Hi,

    I want to show how to use 2FA via authentication codes to supplement password-based authorization. It is a intended to increase security of local account log in. It assumes GNU/Linux uses PAM for local account security which is the default for most distributions
    Disclaimer: I am not responsible for any damage to your system caused by misuse of this information, so make sure you understand what you are doing. Not applying properly presented information may cause inability to log in. In case you proceed with applying any changes make sure to create backup and make sure you know how to restore OS from backup or fix it in any other way.

    1. As a first step I created backup of pam.d directory:
      Code:
      tar cf - /etc/pam.d/ > /etc/pam.d.backup.tar
      If you don't know how to restore from external OS/usb drive then it is good idea to create whole OS backup.
    2. Replace symlinks with copies of files [0]
    3. install needed packages [1]
      Code:
      zypper install google-authenticator-libpam
zypper install qrencode
    4. generate QR code and scan it with phone using Authy or other app for OTP codes [2]
      Code:
      google-authenticator
      I generated them for both root and user accounts
    5. Add following line to the end of/etc/pam.d/sshd file [2]
      Code:
      auth required pam_google_authenticator.so
      You also need to edit /etc/ssh/sshd_config for properties ChallengeResponseAuthentication and AuthenticationMethods
    6. Add PAM module to the end of /etc/pam.d/login [3]
      Code:
      auth required pam_google_authenticator.so
    7. Given that KDE session uses SDDM which does not support 2FA, you may want to apply this workaround [4] in /etc/pam.d/sddm file
      Code:
      auth required pam_google_authenticator.so forward_pass
      just before common-auth line. Currently I only use this for files su su-l
      Instead of separate KDE su field for 2FA code, you should enter <password><otpcode> in same field or su prompt
    [0]https://www.suse.com/support/kb/doc/?id=000018934
    [1] https://www.suse.com/support/kb/doc/?id=000020659
    [2] https://goteleport.com/blog/ssh-2fa-tutorial/
    [3] https://wiki.archlinux.org/title/Google_Authenticator
    [4] https://github.com/sddm/sddm/issues/722
     
    Last edited: Oct 26, 2023
    reasonablePrivacy, Oct 22, 2023
    #1
  2. Rules

    Rules Registered Member

    @reasonablePrivacy
    Thanks for that!!!
    Here i prefer using 2FA implemented in KeepassXC
     
    Rules, Oct 26, 2023
    #2
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice