Cockpit is the awesome web interface to manage a Linux VM or server. For best security, one can setup two-factor auth with google authenticator for Cockpit. Here is a how-to for Fedora Linux 25!
Note: This guide uses Fedora Linux, though cockpit and google-authenticator are also available on many other distros!
1. Install google-authenticator
sudo dnf install google-authenticator
Debian peeps, this is the package name:
sudo apt install libpam-google-authenticator
2. Run google-authenticator to generate secret
Run google-authenticator as your regular user (not as root / no sudo !) to generate the secret key on the instance.
Scan the barcode with your phone. Save the emergency codes in a secret place!
I suggest answering Y to all of the interactive security questions.
3. Update pam to enable two-factor auth for cockpit
Edit the file /etc/pam.d/cockpit
At the bottom, put the following:
# google authenticator for two-factor auth required pam_google_authenticator.so
My /etc/pam.d/cockpit on Fedora looks like this:
#%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin auth optional pam_ssh_add.so account required pam_nologin.so account required pam_shells.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session optional pam_ssh_add.so session include password-auth session include postlogin # google authenticator for two-factor auth required pam_google_authenticator.so
4. Restart cockpit
sudo systemctl restart cockpit
Done! Below is quick video of two-factor auth in action: