Open Justinzobel opened 3 years ago
You can set up 2FA with e.g. the PAM Google Authenticator (for a single machine) or centrally if you use identity, e.g. with FreeIPA. There should not be any workarounds necessary for Cockpit, it uses the normal global PAM authentication settings.
You can restrict 2FA to cockpit logins only if you configure it in /etc/pam.d/cockpit instead of /etc/pam.d/system-auth (or the equivalent Debian/Ubuntu file).
A GUI setup would be nice to add. So I can log in to cockpit once my server is up, enable 2FA and get a QR code to scan on the web page without having to touch a terminal.
Is this feature coming?
The Cockpit Team is not actively working on this feature, we welcome anyone to contribute this feature. So if you have any questions feel free to ask them.
I hope someone picks this up as cyber security is no joke. A lot of people that use cockpit have limited Linux knowledge in the first place, so to provide this as an out of box UI option would not only make cockpit more secure but would secure a lot of environments with limited Linux skill sets.
Looks like this was implemented for the nethserver fork: https://community.nethserver.org/t/2fa-or-two-factor-authentication-with-cockpit/14172
Would be cool if that could be back-ported to vanilla cockpit.
Looks like this was implemented for the nethserver fork: https://community.nethserver.org/t/2fa-or-two-factor-authentication-with-cockpit/14172
Would be cool if that could be back-ported to vanilla cockpit.
If you use 2FA with Cockpit via PAM I believe this should just work out of the box. Having this documented might be nice.
Looks like this was implemented for the nethserver fork: https://community.nethserver.org/t/2fa-or-two-factor-authentication-with-cockpit/14172 Would be cool if that could be back-ported to vanilla cockpit.
If you use 2FA with Cockpit via PAM I believe this should just work out of the box. Having this documented might be nice.
It does indeed work but a GUI option would be very nice. For the people that come across this issue and want to enable MFA right now here is a one liner:
sudo dnf install google-authenticator qrencode-libs -y;google-authenticator -t -d -f -r 3 -R 30 -W -Q UTF8; sudo bash -c 'echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/cockpit';sudo systemctl restart cockpit;
Please someone make this a GUI option
It does indeed work but a GUI option would be very nice. For the people that come across this issue and want to enable MFA right now here is a one liner:
sudo dnf install google-authenticator qrencode-libs -y;google-authenticator -t -d -f -r 3 -R 30 -W -Q UTF8; sudo bash -c 'echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/cockpit';sudo systemctl restart cockpit;
Please someone make this a GUI option
I agree that a GUI option is needed and thanks for pointing out this config file. However, why are you using nullok
in the end? Doesn't that mean if no config, ignore this PAM module
, so perhaps accidentally bypassing 2FA? I think it is safer to use auth required pam_google_authenticator.so
(without nullok) instead. Or am I missing something?
@JaneX8
Great guide for who need 2-fa auth!
Here for Debian / Ubuntu users version
sudo apt-get install libpam-google-authenticator libqrencode-dev -y
google-authenticator -t -d -f -r 3 -R 30 -W -Q UTF8
sudo bash -c 'echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/cockpit'
sudo systemctl restart cockpit
save back-up code and emergency scratch codes somewhere safe!
Page:
A feature within the web interface to setup and enable 2FA for users would be really good.
Cockpit is really powerful and in that way extra security should be available without extra workarounds.