2fa code to login on fedora desktop

Hi there,
i need you.
I’m trying to add on my system 2fa code during login process, but without results.
i would use google authenticator to generate temp code to insert during login.
May you help me?

I don’t have that currently configured (I’ve switched to using a YubiKey). But I tried it at one point. I think it was as simple as

  1. dnf install google-authenticator
  2. Add something like auth [success=ok ignore=ignore default=die] pam_google_authenticator.so nullok secret=/var/lib/google-authenticator/${USER} right after the auth substack system-auth line in /etc/pam.d/login (careful, messing up this file can lock you out of your system).
  3. Run something like google-authenticator -u -t -d -f -w 3 -e 0 -i "" -l ${USER}@${HOSTNAME} -Q utf8 -s /var/lib/google-authenticator/${USER} to generate the OTP secret.
  4. Try to login on one of your virtual consoles to see if it works (use Ctrl+Alt+F[N] to switch virtual consoles).

(I copied some of the above from some old notes I had. I’m not sure what all those parameters mean. Consult the man page for more information.)

Hi, thank you very much for your answer.
Is yubikey safer than 2fa?

It’s not work.

YubiKey is just a different form of 2fa. It might be a little β€œsafer”. It might also be a little more complex to configure, depending on your environment.

The following worked for me. I just tried it. It looks like I left out that you need to create (and label) the /var/lib/google-authenticator directory in my initial response.

# dnf install -y google-authenticator
# mkdir /var/lib/google-authenticator
# chmod 1777 /var/lib/google-authenticator
# restorecon -v /var/lib/google-authenticator
Relabeled /var/lib/google-authenticator from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:var_auth_t:s0
# google-authenticator -u -t -d -f -w 3 -e 0 -i "" -l ${USER}@${HOSTNAME} -Q utf8 -s /var/lib/google-authenticator/${USER}
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  β–ˆβ–€β–€β–€β–€β–€β–ˆ β–ˆβ–€β–„β–€  β–€  β–ˆβ–ˆβ–€β–„β–ˆβ–€β–€β–„β–€β–„ β–ˆ β–ˆβ–€β–€β–€β–€β–€β–ˆ  
  β–ˆ β–ˆβ–€β–ˆ β–ˆ β–€ β–€β–€β–„β–„β–ˆβ–„β–€β–„ β–„β–€β–ˆβ–ˆ  β–ˆ β–€β–€ β–ˆ β–ˆβ–ˆβ–ˆ β–ˆ  
  β–ˆ β–€β–€β–€ β–ˆ β–€β–ˆβ–€β–ˆβ–„β–€  β–„β–ˆβ–ˆβ–€ β–ˆβ–ˆβ–„β–ˆ β–ˆ β–€ β–ˆ β–€β–€β–€ β–ˆ  
  β–€β–€β–€β–€β–€β–€β–€ β–€ β–€β–„β–€β–„β–ˆ β–ˆ β–€ β–€ β–ˆ β–ˆβ–„β–ˆβ–„β–ˆ β–€β–€β–€β–€β–€β–€β–€  
  β–€  β–ˆβ–ˆβ–ˆβ–€β–€β–€β–ˆβ–€ β–ˆβ–ˆβ–ˆ β–€β–„β–€ β–„β–€β–„  β–ˆβ–ˆ β–€β–ˆβ–„β–„β–ˆ β–ˆβ–ˆβ–€  
  β–€β–ˆ β–ˆβ–€β–€β–€β–€β–ˆβ–ˆβ–€  β–€β–„β–„ β–ˆβ–€ β–ˆ β–€β–€ β–€β–„β–ˆ     β–„β–ˆβ–„β–ˆ  
  β–€β–„β–€β–„  β–€β–ˆβ–„β–„β–€β–€ β–ˆβ–ˆβ–„ β–„ β–€β–ˆβ–„β–€β–ˆβ–„ β–„β–ˆβ–€β–€β–€β–ˆβ–„   β–€  
  β–€β–„β–€β–„ β–„β–€β–„β–ˆβ–„β–€β–ˆβ–„β–€ β–€ β–ˆβ–„β–ˆβ–ˆ  β–„β–ˆβ–€β–ˆβ–€β–ˆβ–ˆβ–€β–€β–€β–ˆβ–ˆβ–ˆβ–ˆ  
   β–„β–„β–ˆβ–ˆβ–„β–€β–ˆ β–„β–„β–€β–€  β–€β–ˆβ–ˆβ–„β–„ β–ˆβ–€β–ˆβ–ˆβ–„ β–€β–€β–„  β–€β–ˆ β–„β–€  
  β–„β–„β–ˆβ–€β–ˆβ–€β–€β–ˆβ–€ β–„β–„β–€β–€ β–ˆ β–€β–„β–„β–€ β–€ β–ˆβ–ˆβ–ˆβ–ˆβ–„β–ˆβ–ˆβ–€β–€β–ˆ β–€  
  β–„β–€ β–ˆβ–„β–€β–€β–ˆβ–€β–„β–€β–„ β–€β–ˆβ–€ β–€ β–ˆβ–€β–€β–„β–ˆβ–ˆβ–„ β–€β–„ β–ˆβ–€ β–ˆβ–€β–„β–€   
  β–€β–€β–€β–„β–„ β–€β–ˆβ–€β–€β–„β–ˆβ–€ β–€β–€ β–ˆβ–€β–„ β–€β–€β–€β–ˆβ–€ β–€ β–€β–€ β–ˆβ–„β–„ β–€  
  β–„ β–€β–€β–„β–ˆβ–€β–€ β–„ β–€ β–€β–ˆβ–€β–ˆβ–€β–€β–ˆβ–€β–€ β–€ β–ˆβ–„β–€β–„β–ˆβ–€β–€β–ˆβ–„ β–€β–€  
  β–ˆβ–€ β–„β–€β–€β–€β–„β–€β–€β–„ β–€β–„β–€β–„β–€  β–€β–ˆβ–€β–ˆ β–ˆβ–€β–ˆβ–ˆβ–€β–€β–ˆβ–„ β–„β–ˆβ–ˆβ–€  
  β–€ β–€β–€β–€β–€β–€β–€β–„β–„β–€β–ˆβ–ˆβ–€β–„β–„  β–ˆβ–ˆβ–ˆ  β–€β–€β–„ β–ˆβ–ˆβ–€β–€β–€β–ˆβ–„β–ˆβ–€   
  β–ˆβ–€β–€β–€β–€β–€β–ˆ β–ˆβ–€β–ˆ β–ˆβ–„β–„β–€β–„β–„β–„β–€β–€ β–ˆβ–€ β–„β–ˆβ–„β–ˆ β–€ β–ˆβ–„β–€β–„β–€  
  β–ˆ β–ˆβ–€β–ˆ β–ˆ β–ˆβ–„ β–€β–€β–„ β–€β–„β–„β–„ β–€β–€β–„  β–€β–€β–ˆβ–€β–ˆβ–ˆβ–€β–€β–„β–„β–€β–„  
  β–ˆ β–€β–€β–€ β–ˆ  β–€β–ˆβ–„β–ˆ β–„β–€β–ˆβ–„β–„ β–ˆβ–€ β–€  β–€β–„β–€β–ˆβ–„β–€β–€β–€β–„β–„β–ˆ  
  β–€β–€β–€β–€β–€β–€β–€ β–€β–€ β–€  β–€β–€β–€  β–€β–€ β–€β–€β–€  β–€β–€β–€  β–€   β–€  
Your new secret key is: MRWC26X6A4L6JWPZWTCOECDYL4
Enter code from app (-1 to skip): -1
Code confirmation skipped
Your emergency scratch codes are:
# sed -i.bak 's|^auth\(\s\+\)substack\(\s\+\)system-auth\s*$|&\nauth\1required\2pam_google_authenticator.so nullok secret=/var/lib/google-authenticator/${USER}|' /etc/pam.d/login
# cat /etc/pam.d/login
auth       substack     system-auth
auth       required     pam_google_authenticator.so nullok secret=/var/lib/google-authenticator/${USER}
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so
# dnf install -y oathtool pamtester
# oathtool --base32 --totp MRWC26X6A4L6JWPZWTCOECDYL4
# pamtester login root authenticate
Verification code: 
pamtester: successfully authenticated
1 Like

thank you, i’ll try.

If you want it to work with GNOME Desktop Manager, you’ll have to add the

auth       required     pam_google_authenticator.so nullok secret=/var/lib/google-authenticator/${USER}

after the

auth        substack      password-auth

line in /etc/pam.d/gdm-password. I don’t know for sure that it will work with GDM. But I think it should. (I’d keep a privileged VT open just in case it doesn’t work.)