Cockpit is the awesome web interface to manage a Linux VM or server. For best security, one can setup two-factor auth with google authenticator for Cockpit. Here is a how-to for Fedora Linux 25!

Note: This guide uses Fedora Linux, though cockpit and google-authenticator are also available on many other distros!

1. Install google-authenticator

sudo dnf install google-authenticator

Debian peeps, this is the package name:



sudo apt install libpam-google-authenticator

2. Run google-authenticator to generate secret

Run google-authenticator as your regular user (not as root / no sudo !) to generate the secret key on the instance.



google-authenticator

Scan the barcode with your phone. Save the emergency codes in a secret place!

I suggest answering Y to all of the interactive security questions.

The output will look similar to:





3. Update pam to enable two-factor auth for cockpit

Edit the file /etc/pam.d/cockpit



At the bottom, put the following:



# google authenticator for two-factor auth required pam_google_authenticator.so

My /etc/pam.d/cockpit on Fedora looks like this:



#%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin auth optional pam_ssh_add.so account required pam_nologin.so account required pam_shells.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session optional pam_ssh_add.so session include password-auth session include postlogin # google authenticator for two-factor auth required pam_google_authenticator.so

4. Restart cockpit

sudo systemctl restart cockpit

Done! Below is quick video of two-factor auth in action:





