Configuring Two-Factor Authentication for SUDO Command

This article describes how to configure a Linux server to enable two-factor authentication with a one-time access code (OTP) or PUSH notification when running the sudo command.

Possible authentication methods:

  • MultiFactor mobile application
  • SMS
  • Hardware OTP-tokens
  • Software OTP-tokens and applications (e.g. Google Authenticator)
  • Telegram

Workflow

  1. SUDO uses the PAM_RADIUS module for the second authentication factor
  2. Module connects through RADIUS protocol to the multifactor service
  3. the multifactor sends a one-time password or access request confirmation to the user's phone
  4. User enters the one-time password or confirms the request on the phone

Multifactor setup

Go to MultiFactor Management System, go to Resources and create a new Linux server. Once created you will have two options: NAS Identifier and Shared Secret, you will need them for the next steps.

Installing and configuring the PAM_RADIUS module

$ sudo yum -y install epel-release
$ sudo yum -y install pam_radius

Next, create a configuration file

$ sudo vi /etc/pam_radius_sudo.conf

Write the Multifactor RADIUS server settings into it, save and close the editor (:x)

radius.multifactor.ru SHARED_SECRET 40

where:

  • radius.multifactor.ru: server address
  • SHARED_SECRET: copy from the corresponding parameter of the Linux resource Multifactor settings
  • 40: request timeout (with extra reserve time)

The file contains the secret key, so set the file's read access only to the root user

$ sudo chmod 0600 /etc/pam_radius_sudo.conf

Configuring PAM modules sudo

Open /etc/pam.d/sudo file for editing

$ sudo vi /etc/pam.d/sudo

Edit the file as follows:

#%PAM-1.0
auth substack system-auth                                                                                                                                        
auth required pam_radius_auth.so skip_passwd client_id=NAS_Identifier conf=/etc/pam_radius_sudo.conf
account include system-auth
password include system-auth
session include system-auth
#%PAM-1.0
auth required pam_radius_auth.so skip_passwd client_id=NAS_Identifier conf=/etc/pam_radius_sudo.conf
account include system-auth
password include system-auth
session include system-auth

where

  • NAS_Identifier: copy from the corresponding Linux resource Multifactor settings.

Save and close the file (:x).

Last updated on 1/25/2021
Configuring Linux SSHVMware vCloud Director Configuration