I've been trying to set up 2FA with Google Authenticator on Ubuntu to protect sudo. I followed the steps at https://blog.jitendrapatro.me/configuring-two-factor-authentication-for-su-and-sudo/ and was able to see my commands 'sudo touch /test' being protected, i.e. I would be prompted for my Google Authenticator verification code. However, the article says the following, which seems to imply to me that it's pretty easy to bypass the 2FA: > There are three downsides to this. First, 2FA needs to be enabled for the user account or there will be no prompt for entering verification code. Second, the switching to any user from root now will require to enter the verification code for that user, which is not so convenient anymore even if you’re root! Third and most important of all is you can just use “sudo -s” and get a root shell completely bypassing su! 🙂 Likewise, I was able to run sudo -i and bypass 2FA. Any way to prevent this bypassing? What am I missing?

Linux noob here. Pretty much the title. I tried referring to published articles but I couldnt find something related to my specific requirement. I cannot log in using the OTP code even though I give the correct password and the code. Could someone help me with the sshd config file and the pam config file to make this work. Additionally I might want to have this feature enabled for a selected amount of users. (Ex: allow root login no) Any help on this would be greatly appreciated Thanks! *I tried using the Google Authenticator

I have a server with Google Authentication + PAM set up so it requires a TOTP when connecting to it through SSH. But I would like to make an exception for SSH keys that are stored in a security key, is this possible? [This question](https://unix.stackexchange.com/questions/612443/help-with-bypassing-ssh-2-factor-authentication-when-on-same-local-network-macos) made me think that it is possible to have a separate authorized_keys for these exceptions and control this via PAM, but I don't know if it's possible to switch between them.

Google Authenticator can be set as two-factor authentication on a linux desktop,is there other two-factor authentication application ,instead of Google Authenticator, that can work on linux desktop?

I have a Debian Linux desktop PC. I wish to run a TOTP Authenticator on this platform. I have found two possibilities in Snap Store :- Authme and SMART 2fa authenticator TOTP. However I have not been able to find any documentation about how to run either of these authenticators. Can anyone help please ?

I do not like having a mobile cellphone and having to carry it around all the time and do 2FA by SMS, but many services I use require it, as does my school. I also lost my phone and cannot afford a new one at the moment. I do have a SIM card with a mobile plan; is there any way I can get the SMS messages on my PC? OS: Linux Mint PC: Thinkpad X220 Carrier: Koodo Location: Canada Thank you

Is there a way to enforce two-factor authentication (2FA) for all users on the SSH server on the Unix PAM Subsystem?

We are unfortunately stuck with Scientific Linux 7 (a RHEL 7 clone) for a while longer, until we prepare our move to Ubuntu later this year. Our organisation is now also starting to require MFA for email, and we need to try to find a TOTP app suitable for our Linux users (as a fallback option additional to smartphone apps, or for users without smartphones). **KeePassXC** does have TOTP capability, but sadly the EPEL RPMs only seem to be available for EL8 onwards. If there is a suitable older version somewhere in the KeePassXC git repo I don't know the appropriate magic to try to find it, unfortunately. As our systems are automatically configured, alternative app formats such as Flatpak, AppImage or snap unfortunately won't work. Does anyone know where a suitable older RPM or, if need be, compatible older source code could be found? I have also looked into **oathtool**, but its manual is rather cryptic as to how you actually get it to work, and if it really needs all the configuration and additional support scripts described in nixCraft's instructions for oathtool , it would unfortunately be just far too complicated for our end users to use. Alternatively, are there other TOTP apps that would be suitable for use with SL7/RHEL7?

My organization will require Multi-Factor Authentication (MFA) in a few days and we use Microsoft accounts. On the internet I read there are authenticator apps for Linux. One of them is Authenticator . I'm not up to date with Microsoft services, however, it looks like the app offers many, i.e. "Microsoft To-Do" and "Microsoft Azure". Also on Microsoft's website there are several different methods: "Authenticator app", "Phone", "Alternate phone", "Security key", "Office phone". I tried to set up the "Authenticator app" and "Security key" authentication methods. In both cases I ended up with the following error:

(authenticator:365334): Gtk-CRITICAL **: 08:26:43.787: _gtk_css_corner_value_get_y: assertion 'corner->class == >K_CSS_VALUE_CORNER' failed
2023-07-12T06:26:49.446034Z ERROR authenticator::widgets::accounts::add::imp: Failed to load from QR Code file: Invalid OTP uri format, expected otpauth, got phonefactor

As I understend this error message: QR code I got can only be used with smartphone app and Authenticator GNOME app is not meant to replace Microsoft's Android Authenticator app but some other Microsoft MFA service? I don't have Android nor IOS smartphone, I don't use Windows either. Is it possible to use this MFA service with Linux?

Github demands that I use 2 Factor Authentication. Github proposes to use one of these: - https://support.1password.com/one-time-passwords/ - https://authy.com/guides/github/ - https://www.microsoft.com/en-us/security/mobile-authenticator-app I would like to not use my phone, but a program on my Kubuntu. Basically, I would like to screenshot, instead of using my phone. Is this possible and with what program?

I am currently trying to achieve, that the root user can login with only the password, but without the 2FA authentication, when logging in from a specific Host. So far my sshd_config looks like this: #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: #Authentication AllowUsers myuser ChallengeResponseAuthentication yes AuthenticationMethods keyboard-interactive #PermitRootLogin no PasswordAuthentication no PermitEmptyPasswords no UsePAM yes MaxAuthTries 3 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com LogLevel VERBOSE UseDNS yes IgnoreRhosts yes HostbasedAuthentication no X11Forwarding no AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL #Banner /etc/ssh/banner #SFTP #Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO Match Address 100.100.100.100 PermitRootLogin yes However, this didn't work, the password is being prompted over and over again. So after a bit of research, I adapted my /etc/pam.d/sshd (I made a group noauth and added the root user to it) #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare auth [success=done default=ignore] pam_succeed_if.so user ingroup noauth auth required pam_google_authenticator.so echo_verification_code But sadly, nothing changed, I still can't login with the root user. I can't add nullok to the google pam module, because everyone else has to be forced to use 2FA authentication Help is much appreciated :)

I recently installed Duo on an Ubuntu test server using these instructions: https://duo.com/docs/duounix While 2FA authentication for login works as expected, I was not expecting every use of sudo to also require 2FA. I only want to use 2FA (Duo + ssh key) for actually logging in, and then use sudo with a typed password as before. From what I have read, the answer probably lies in /etc/pam.d/, but I feel pretty clueless about exactly what changes to make. My experiments with editing these files have resulted in my being locked out of using sudo.

I would like to be sure that without knowing the password no one can delete / edit the 2FA credentials etc can I securely password protect them or are there other ways to achieve such a result? I explain exactly how I see it . Folder with file /etc/pam.d/common-auth - gives information that linux is supposed to require 2FA code. On the system every operation requires me to code - root login or sudo command. The problem is - that in rescue mode this entry without a problem can be deleted and thus disable 2FA - that is 2FA in principle has no meaning if I can disable it without having the 2FA code. There is a topic similar to mine (but with U2F). But there the author has concerns that if he loses the U2F conflict he will lose access to the system. Why no answer wrote such a simple workaround as rescue mode ? It is a little strange https://askubuntu.com/questions/1167691/passwordless-login-with-yubikey-5-nfc/But There were really a lot of answers there, and everyone warns that he may lose access to the system. So I'll ask again. Is it possible to set 2FA so that it cannot be undone in any way (like editing a common-auth file in rescue mode?

I have a 2FA setup on my network for certain kinds of authentication, but not others. The way it currently works is a combination of pam_ldap for passwords, and pam_oath for TOTP. PAM is configured in a way that it requires only pam_ldap for local login/unlock, only pam_oath for SSH (because that already requires publickey), and both for sudo and su. The problem with this setup is that pam_oath reads from /etc/users.oath. I need to periodically regenerate this file based on LDAP contents. Even worse, it also writes to this file, which I currently just ignore. There is a TOTP module for OpenLDAP I want to try, called [slapo-otp](https://man7.org/linux/man-pages/man5/slapo-otp.5.html) . This would solve the problem of having to keep the file in sync, but I would lose the option to skip it in some cases. I don't want to use it for unlocking the screen every time, people will just turn off the screen locker, honestly even I would do that. Please give me some ideas.

I'm trying to connect to a server where dual authentication (publickey,password) is enabled. I'm using sshpass to provide password to automate the script, but when I have batchfile with SFTP, connection fails without batchfile connection succeeds > export SSHPASS=helloworld > > (sshpass -e sftp -b batfile.txt -o 'PasswordAuthentication=yes' \ > -o 'PreferredAuthentications=publickey,password' -o 'StrictHostKeyChecking=no' user@hostname) Error: > Permission denied (password). > Couldn't read packet: Connection reset by peer Connection is successful without batchfile > (sshpass -e sftp -o 'PasswordAuthentication=yes' \ > -o 'PreferredAuthentications=publickey,password' -o 'StrictHostKeyChecking=no' user@hostname) I've tried providing password inside a batchfile but no luck. Is it possible what I'm trying to achieve sshpass along with batchfile, if so, can someone please help me on this Batchfile: echo "Hey, I'm from Inside" !echo "Hey, I'm from Outside"

Is possible to integrate two-factor authentication for transferring files or uploading the codes to a web-server? If yes, will it work for any client or it will work for a specific SFTP client?

The customer requires us to setup MFA for SSH sessions. I have successfully tested MFA using Google Authenticator by following this article: https://www.linode.com/docs/guides/how-to-use-one-time-passwords-for-two-factor-authentication-with-ssh-on-centos/ . However, the problem is that other staff member need access to the system also. They can contact me each time for a verification code but I would rather not do this. I can create multiple accounts and setup up MFA for each person. This would mean they have to be physically with me or I can get them to scan the QR code through Teams. It just means there's a lot of administrative effort on my end. I have thought of SMS to groups but not sure if this is possible though. I think this is a little less secure but saves a lot of effort on my end. Is this a possible alternative? Any other suggestion on what I can do to solve this problem?

Running a debian variant (osmc) What I'm trying to do: - Disable ssh through password, requiring both key and google authenticator; That's all working - But now I'm trying to only require the 2 factor authentication from outside local network (it's easier for backup scripts but if there's another, better, way to do this please do say) Currently using putty & pageant from a windows box to test, just in case it's relevant So I'm using the solution here - https://serverfault.com/questions/799657/ssh-google-authenticator-ignore-whitelist-ips What's now happening - When I connect from outside the network it still requires the 2 factor authentication as required From inside the network it looks like it recognises the key but then errors with "Further authentication required". Many thanks in advance for any help sudo systemctl status ssh Aug 25 19:51:36 mosmc sshd: error: PAM: Permission denied for osmc from beast Aug 25 19:51:36 mosmc sshd: Failed keyboard-interactive/pam for osmc from 192.168.21.3 port 54330 ssh2 Aug 25 19:51:36 mosmc sshd: error: Received disconnect from 192.168.21.3: 14: No supported authentication methods available [preauth] Cat of files below (where it mentions a script I've just scripted the install of this media box as my messing keeps breaking it) osmc@mosmc:~$ cat /etc/ssh/sshd_config # Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port XXXXXXX #changed by sshinstall # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 # Inserted hostkeys by ssh-install script HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com #End of inserted code #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel VERBOSE #edited by script # Inserted ftp by ssh-install script # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. Subsystem internal-sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO #End of inserted code # Authentication: LoginGraceTime 120 PermitRootLogin no #edited by script StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes #edited by script # Change to no to disable tunnelled clear text passwords PasswordAuthentication no #edited by script # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of PermitRootLogin without-password # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # Inserted google-auth settings by ssh-install script AuthenticationMethods publickey,keyboard-interactive:pam KbdInteractiveAuthentication yes # Ensure /bin/login is not used so that it cannot bypass PAM settings for sshd. UseLogin no #End of inserted code UsePAM yes access-local.conf osmc@mosmc:~$ cat /etc/security/access-local.conf # only allow from local IP range + : ALL : 192.168.21.0/24 + : ALL : LOCAL - : ALL : ALL pam.d osmc@mosmc:~$ cat /etc/pam.d/sshd # PAM configuration for the Secure Shell service # Inserted PAM settings by ssh-install script auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf auth required pam_google_authenticator.so #End of inserted code # Standard Un*x authentication. #@include common-auth #commented out by sshinstall # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible that a # module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # Set the loginuid process attribute. session required pam_loginuid.so # Create a new session keyring. session optional pam_keyinit.so force revoke # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. session required pam_env.so # # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. session required pam_env.so user_readenv=1 envfile=/etc/default/locale # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # Standard Un*x password updating. @include common-password

I want to use openconnect instead of pulsesecure/pulseUI to connect to my company's vpn. this was ok in the old server but in the new they have added 2FA. I saw this https://stackoverflow.com/a/63232539/959179 which looks promising. so I try a very basic test:

echo -e "${myPasswd}\n${freshOTPcode} | sudo openconnect --protocol=pulse --passwd-on-stdin -u me@company.com

Connected to :443 SSL negotiation with Connected to HTTPS on Got HTTP response: HTTP/1.1 101 Switching Protocols **Unhandled Pulse authentication packet, or authentication failure** E [...] **Failed to obtain WebVPN cookie** I cannot make anything out of it . The PulseSecure v9.1R13 connects fine to the server. the error is the same if I use the following arguments

echo "myPasswd" | sudo openconnect --protocol=pulse -u me@company.com --passwd-on-stdin --token-mode=totp --token-secret=813940

I followed this guide: https://pimylifeup.com/setup-2fa-ssh/ however this is what I get when trying to connect (it is stuck in a loop and keeps asking for the password and key): ssh jacob@192.168.4.141 (jacob@192.168.4.141) Password: (jacob@192.168.4.141) Verification code: (jacob@192.168.4.141) Password: (jacob@192.168.4.141) Verification code: (jacob@192.168.4.141) Password: (jacob@192.168.4.141) Verification code: jacob@192.168.4.141's password: This happens if the code is right or wrong, it doesn't matter ether way. If the password is wrong, it will ask for it again (no verification code)