Multifactor

Multifactor

  • Demo
  • Theory
  • Practice
  • Login

›Knowledge Base

Introduction

  • Introduction
  • Features
  • Authentication methods

Connection

  • Getting started
  • Integration
  • HTTP API

    • API
    • Access requests
    • User Management
  • RADIUS protocol
  • RADIUS Adapter

    • General Information
    • Windows
    • Linux
  • Self-Service Portal

About Us

  • Public offer
  • Privacy
  • Infrastructure
  • Payments and refund
  • Company

Knowledge Base

  • FAQ
  • Integrating .NET Core
  • ASP.NET Integration
  • OpenVPN setup
  • Configuring OpenVPN + AD
  • Configuring OpenVPN Access Server
  • Cisco ASA VPN setup
  • Configuring Check Point VPN
  • FortiGate VPN Configuration
  • Windows RDP setup
  • Configuring the Network Policy Server
  • Configuring Outlook Web Access
  • Let's Encrypt Windows Server
  • Configuring Linux SSH
  • Configuring Linux SUDO
  • VMware vCloud Director Configuration
  • Customizing VMware Horizon
  • Configuring VMware Horizon Cloud
  • Configuring Citrix Gateway
  • Huawei Cloud Configuration
  • Yandex.Cloud Configuration
  • Disaster recovery

Help

  • Authentication enroll
  • Authentication
  • Administrator panel

Configuring Two-Factor Authentication for SUDO Command

This article describes how to configure a Linux server to enable two-factor authentication with a one-time access code (OTP) or PUSH notification when running the sudo command.

Possible authentication methods:

  • MultiFactor mobile application
  • SMS
  • Hardware OTP-tokens
  • Software OTP-tokens and applications (e.g. Google Authenticator)
  • Telegram

Workflow

  1. SUDO uses the PAM_RADIUS module for the second authentication factor
  2. Module connects through RADIUS protocol to the multifactor service
  3. the multifactor sends a one-time password or access request confirmation to the user's phone
  4. User enters the one-time password or confirms the request on the phone

Multifactor setup

Go to MultiFactor Management System, go to Resources and create a new Linux server. Once created you will have two options: NAS Identifier and Shared Secret, you will need them for the next steps.

Installing and configuring the PAM_RADIUS module

$ sudo yum -y install epel-release
$ sudo yum -y install pam_radius

Next, create a configuration file

$ sudo vi /etc/pam_radius_sudo.conf

Write the Multifactor RADIUS server settings into it, save and close the editor (:x)

radius.multifactor.ru SHARED_SECRET 40

where:

  • radius.multifactor.ru: server address
  • SHARED_SECRET: copy from the corresponding parameter of the Linux resource Multifactor settings
  • 40: request timeout (with extra reserve time)

The file contains the secret key, so set the file's read access only to the root user

$ sudo chmod 0600 /etc/pam_radius_sudo.conf

Configuring PAM modules sudo

Open /etc/pam.d/sudo file for editing

$ sudo vi /etc/pam.d/sudo

Edit the file as follows:

Password and second factor
Only the second factor
#%PAM-1.0
auth substack system-auth
auth required pam_radius_auth.so skip_passwd client_id=NAS_Identifier conf=/etc/pam_radius_sudo.conf
account include system-auth
password include system-auth
session include system-auth
#%PAM-1.0
auth required pam_radius_auth.so skip_passwd client_id=NAS_Identifier conf=/etc/pam_radius_sudo.conf
account include system-auth
password include system-auth
session include system-auth

where

  • NAS_Identifier: copy from the corresponding Linux resource Multifactor settings.

Save and close the file (:x).

Last updated on 1/25/2021
← Configuring Linux SSHVMware vCloud Director Configuration →
  • Workflow
  • Multifactor setup
  • Installing and configuring the PAM_RADIUS module
  • Configuring PAM modules sudo
Multifactor
Legal info
Privacy policyPayments and refund
Company
Our historyMissionOur teamContacts
Contact us
+7 499 444 08 82sales@multifactor.prosupport@multifactor.proTelegramFacebook
© 2021 Multifactor