Configuring Two-Factor Authentication for SUDO Command
This article describes how to configure a Linux server to enable two-factor authentication with a one-time access code (OTP) or PUSH notification when running the sudo command.
Possible authentication methods:
MultiFactor mobile application
SMS
Hardware OTP-tokens
Software OTP-tokens and applications (e.g. Google Authenticator)
Telegram
Workflow
- SUDO uses the PAM_RADIUS module for the second authentication factor
- Module connects through RADIUS protocol to the multifactor service
- the multifactor sends a one-time password or access request confirmation to the user's phone
- User enters the one-time password or confirms the request on the phone
Multifactor setup
Go to MultiFactor Management System, go to Resources and create a new Linux server. Once created you will have two options: NAS Identifier and Shared Secret, you will need them for the next steps.
Installing and configuring the PAM_RADIUS module
$ sudo yum -y install epel-release
$ sudo yum -y install pam_radius
Next, create a configuration file
$ sudo vi /etc/pam_radius_sudo.conf
Write the Multifactor RADIUS server settings into it, save and close the editor (:x)
radius.multifactor.ru SHARED_SECRET 40
where:
- radius.multifactor.ru: server address
- SHARED_SECRET: copy from the corresponding parameter of the Linux resource Multifactor settings
- 40: request timeout (with extra reserve time)
The file contains the secret key, so set the file's read access only to the root user
$ sudo chmod 0600 /etc/pam_radius_sudo.conf
Configuring PAM modules sudo
Open /etc/pam.d/sudo file for editing
$ sudo vi /etc/pam.d/sudo
Edit the file as follows:
#%PAM-1.0
auth substack system-auth
auth required pam_radius_auth.so skip_passwd client_id=NAS_Identifier conf=/etc/pam_radius_sudo.conf
account include system-auth
password include system-auth
session include system-auth
#%PAM-1.0
auth required pam_radius_auth.so skip_passwd client_id=NAS_Identifier conf=/etc/pam_radius_sudo.conf
account include system-auth
password include system-auth
session include system-auth
where
- NAS_Identifier: copy from the corresponding Linux resource Multifactor settings.
Save and close the file (:x).