2fa code to login on fedora desktop

Ask Fedora
1

Hi there,
i need you.
I’m trying to add on my system 2fa code during login process, but without results.
i would use google authenticator to generate temp code to insert during login.
May you help me?
Thanks.

2

I don’t have that currently configured (I’ve switched to using a YubiKey). But I tried it at one point. I think it was as simple as

  1. dnf install google-authenticator
  2. Add something like auth [success=ok ignore=ignore default=die] pam_google_authenticator.so nullok secret=/var/lib/google-authenticator/${USER} right after the auth substack system-auth line in /etc/pam.d/login (careful, messing up this file can lock you out of your system).
  3. Run something like google-authenticator -u -t -d -f -w 3 -e 0 -i "" -l ${USER}@${HOSTNAME} -Q utf8 -s /var/lib/google-authenticator/${USER} to generate the OTP secret.
  4. Try to login on one of your virtual consoles to see if it works (use Ctrl+Alt+F[N] to switch virtual consoles).

(I copied some of the above from some old notes I had. I’m not sure what all those parameters mean. Consult the man page for more information.)

3

Hi, thank you very much for your answer.
Is yubikey safer than 2fa?
Thanks.

4

It’s not work.

5

YubiKey is just a different form of 2fa. It might be a little β€œsafer”. It might also be a little more complex to configure, depending on your environment.

The following worked for me. I just tried it. It looks like I left out that you need to create (and label) the /var/lib/google-authenticator directory in my initial response.

# dnf install -y google-authenticator
# mkdir /var/lib/google-authenticator
# chmod 1777 /var/lib/google-authenticator
# restorecon -v /var/lib/google-authenticator
Relabeled /var/lib/google-authenticator from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:var_auth_t:s0
# google-authenticator -u -t -d -f -w 3 -e 0 -i "" -l ${USER}@${HOSTNAME} -Q utf8 -s /var/lib/google-authenticator/${USER}
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@hal9000%3Fsecret%3DMRWC26X6A4L6JWPZWTCOECDYL4
                                         
  β–ˆβ–€β–€β–€β–€β–€β–ˆ β–ˆβ–€β–„β–€  β–€  β–ˆβ–ˆβ–€β–„β–ˆβ–€β–€β–„β–€β–„ β–ˆ β–ˆβ–€β–€β–€β–€β–€β–ˆ  
  β–ˆ β–ˆβ–€β–ˆ β–ˆ β–€ β–€β–€β–„β–„β–ˆβ–„β–€β–„ β–„β–€β–ˆβ–ˆ  β–ˆ β–€β–€ β–ˆ β–ˆβ–ˆβ–ˆ β–ˆ  
  β–ˆ β–€β–€β–€ β–ˆ β–€β–ˆβ–€β–ˆβ–„β–€  β–„β–ˆβ–ˆβ–€ β–ˆβ–ˆβ–„β–ˆ β–ˆ β–€ β–ˆ β–€β–€β–€ β–ˆ  
  β–€β–€β–€β–€β–€β–€β–€ β–€ β–€β–„β–€β–„β–ˆ β–ˆ β–€ β–€ β–ˆ β–ˆβ–„β–ˆβ–„β–ˆ β–€β–€β–€β–€β–€β–€β–€  
  β–€  β–ˆβ–ˆβ–ˆβ–€β–€β–€β–ˆβ–€ β–ˆβ–ˆβ–ˆ β–€β–„β–€ β–„β–€β–„  β–ˆβ–ˆ β–€β–ˆβ–„β–„β–ˆ β–ˆβ–ˆβ–€  
  β–€β–ˆ β–ˆβ–€β–€β–€β–€β–ˆβ–ˆβ–€  β–€β–„β–„ β–ˆβ–€ β–ˆ β–€β–€ β–€β–„β–ˆ     β–„β–ˆβ–„β–ˆ  
  β–€β–„β–€β–„  β–€β–ˆβ–„β–„β–€β–€ β–ˆβ–ˆβ–„ β–„ β–€β–ˆβ–„β–€β–ˆβ–„ β–„β–ˆβ–€β–€β–€β–ˆβ–„   β–€  
  β–€β–„β–€β–„ β–„β–€β–„β–ˆβ–„β–€β–ˆβ–„β–€ β–€ β–ˆβ–„β–ˆβ–ˆ  β–„β–ˆβ–€β–ˆβ–€β–ˆβ–ˆβ–€β–€β–€β–ˆβ–ˆβ–ˆβ–ˆ  
   β–„β–„β–ˆβ–ˆβ–„β–€β–ˆ β–„β–„β–€β–€  β–€β–ˆβ–ˆβ–„β–„ β–ˆβ–€β–ˆβ–ˆβ–„ β–€β–€β–„  β–€β–ˆ β–„β–€  
  β–„β–„β–ˆβ–€β–ˆβ–€β–€β–ˆβ–€ β–„β–„β–€β–€ β–ˆ β–€β–„β–„β–€ β–€ β–ˆβ–ˆβ–ˆβ–ˆβ–„β–ˆβ–ˆβ–€β–€β–ˆ β–€  
  β–„β–€ β–ˆβ–„β–€β–€β–ˆβ–€β–„β–€β–„ β–€β–ˆβ–€ β–€ β–ˆβ–€β–€β–„β–ˆβ–ˆβ–„ β–€β–„ β–ˆβ–€ β–ˆβ–€β–„β–€   
  β–€β–€β–€β–„β–„ β–€β–ˆβ–€β–€β–„β–ˆβ–€ β–€β–€ β–ˆβ–€β–„ β–€β–€β–€β–ˆβ–€ β–€ β–€β–€ β–ˆβ–„β–„ β–€  
  β–„ β–€β–€β–„β–ˆβ–€β–€ β–„ β–€ β–€β–ˆβ–€β–ˆβ–€β–€β–ˆβ–€β–€ β–€ β–ˆβ–„β–€β–„β–ˆβ–€β–€β–ˆβ–„ β–€β–€  
  β–ˆβ–€ β–„β–€β–€β–€β–„β–€β–€β–„ β–€β–„β–€β–„β–€  β–€β–ˆβ–€β–ˆ β–ˆβ–€β–ˆβ–ˆβ–€β–€β–ˆβ–„ β–„β–ˆβ–ˆβ–€  
  β–€ β–€β–€β–€β–€β–€β–€β–„β–„β–€β–ˆβ–ˆβ–€β–„β–„  β–ˆβ–ˆβ–ˆ  β–€β–€β–„ β–ˆβ–ˆβ–€β–€β–€β–ˆβ–„β–ˆβ–€   
  β–ˆβ–€β–€β–€β–€β–€β–ˆ β–ˆβ–€β–ˆ β–ˆβ–„β–„β–€β–„β–„β–„β–€β–€ β–ˆβ–€ β–„β–ˆβ–„β–ˆ β–€ β–ˆβ–„β–€β–„β–€  
  β–ˆ β–ˆβ–€β–ˆ β–ˆ β–ˆβ–„ β–€β–€β–„ β–€β–„β–„β–„ β–€β–€β–„  β–€β–€β–ˆβ–€β–ˆβ–ˆβ–€β–€β–„β–„β–€β–„  
  β–ˆ β–€β–€β–€ β–ˆ  β–€β–ˆβ–„β–ˆ β–„β–€β–ˆβ–„β–„ β–ˆβ–€ β–€  β–€β–„β–€β–ˆβ–„β–€β–€β–€β–„β–„β–ˆ  
  β–€β–€β–€β–€β–€β–€β–€ β–€β–€ β–€  β–€β–€β–€  β–€β–€ β–€β–€β–€  β–€β–€β–€  β–€   β–€  
                                         
Your new secret key is: MRWC26X6A4L6JWPZWTCOECDYL4
Enter code from app (-1 to skip): -1
Code confirmation skipped
Your emergency scratch codes are:
# sed -i.bak 's|^auth\(\s\+\)substack\(\s\+\)system-auth\s*$|&\nauth\1required\2pam_google_authenticator.so nullok secret=/var/lib/google-authenticator/${USER}|' /etc/pam.d/login
# cat /etc/pam.d/login
#%PAM-1.0
auth       substack     system-auth
auth       required     pam_google_authenticator.so nullok secret=/var/lib/google-authenticator/${USER}
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so
# dnf install -y oathtool pamtester
# oathtool --base32 --totp MRWC26X6A4L6JWPZWTCOECDYL4
135052
# pamtester login root authenticate
Password: 
Verification code: 
pamtester: successfully authenticated
#
1 Like
6

thank you, i’ll try.

7

If you want it to work with GNOME Desktop Manager, you’ll have to add the

auth       required     pam_google_authenticator.so nullok secret=/var/lib/google-authenticator/${USER}

after the

auth        substack      password-auth

line in /etc/pam.d/gdm-password. I don’t know for sure that it will work with GDM. But I think it should. (I’d keep a privileged VT open just in case it doesn’t work.)