Enable Two-Factor Auth for Cockpit with Google Authenticator

By | 2017/05/13

Cockpit is the awesome web interface to manage a Linux VM or server. For best security, one can setup two-factor auth with google authenticator for Cockpit. Here is a how-to for Fedora Linux 25!


Note: This guide uses Fedora Linux, though cockpit and google-authenticator are also available on many other distros!


1. Install google-authenticator
sudo dnf install google-authenticator

Debian peeps, this is the package name:

sudo apt install libpam-google-authenticator

2. Run google-authenticator to generate secret

Run google-authenticator as your regular user (not as root / no sudo !) to generate the secret key on the instance.

google-authenticator

Scan the barcode with your phone. Save the emergency codes in a secret place!

I suggest answering Y to all of the interactive security questions.

The output will look similar to:

01-googleauth


3. Update pam to enable two-factor auth for cockpit

Edit the file /etc/pam.d/cockpit

At the bottom, put the following:

# google authenticator for two-factor
auth required pam_google_authenticator.so

My /etc/pam.d/cockpit on Fedora looks like this:

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
auth       optional     pam_ssh_add.so
account    required     pam_nologin.so
account    required     pam_shells.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    optional     pam_ssh_add.so
session    include      password-auth
session    include      postlogin
# google authenticator for two-factor
auth       required     pam_google_authenticator.so


4. Restart cockpit

sudo systemctl restart cockpit

Done! Below is quick video of two-factor auth in action: