Setup Sudo With Google-Authenticator for 2FA on CentOS 7

By configuring the google-authenticator-libpam PAM module with sudo, you can force system users to have to authenticate with one-time passcode and their system password in order to use sudo.

From google-authenticator-libpam

The Google Authenticator project includes implementations of one-time
passcode generators for several mobile platforms, as well as a pluggable
authentication module (PAM).

To set this up on CentOS 7, we’ll install the google-authenticator PAM module and update your server’s PAM configuration.

First, install the tools required to build the google-authenticator-libpam PAM module.

yum install -y git autoconf automake make libtool pam-devel

Clone the google-authenticator-libpam git repo, build and install the plugin.

git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam
./bootstrap.sh
./configure
make
sudo make install

This will install the google-authenticator binary and the pam_google_authenticator.so PAM module under /usr/local

Before continuing, login as root and do not exit from this login whilst making
changes to your system. A mistake could lock you out from your root account.

Add pam_google_authenticator.so to /etc/pam.d/sudo

auth       required     /usr/local/lib/security/pam_google_authenticator.so forward_pass nullok
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so

Its important that the path used to define pam_google_authenticator.so is correct or else PAM may not be able to find pam_google_authenticator.so and sudo will log an error.

sudo: PAM unable to dlopen(/usr/lib64/security/pam_google_authenticator.so): /usr/lib64/security/pam_google_authenticator.so: cannot open shared object file: No such file or directory
sudo: PAM adding faulty module: /usr/lib64/security/pam_google_authenticator.so

It is also important that the pam_google_authenticator.so is found before the auth include system-auth line within /etc/pam.d/sudo

Any user who will need to use sudo now needs to setup their secret key and google-authenticator-libpam settings which live in ~/.google_authenticator by simply running the google-authenticator-libpam binary on the server. They will be shown a QRCode that can be scanned into their two-factor authentication mobile app such as Authy or Google Authenticator. Next time the user uses sudo, they will be asked for their system password and one-time passcode.


Once all your users who use sudo have setup their google authenticator secret key, you should remove nullok from /etc/pam.d/sudo

Sistem Uzmanı, Linux Hacısı, El-Kernel

Yorum yapın