Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GUI setup of two factor authentication #15860

Open
Justinzobel opened this issue May 25, 2021 · 10 comments
Open

GUI setup of two factor authentication #15860

Justinzobel opened this issue May 25, 2021 · 10 comments
Labels
enhancement

Comments

@Justinzobel
Copy link

Page:

A feature within the web interface to setup and enable 2FA for users would be really good.

Cockpit is really powerful and in that way extra security should be available without extra workarounds.
@martinpitt
Copy link
Member

You can set up 2FA with e.g. the PAM Google Authenticator (for a single machine) or centrally if you use identity, e.g. with FreeIPA. There should not be any workarounds necessary for Cockpit, it uses the normal global PAM authentication settings.

You can restrict 2FA to cockpit logins only if you configure it in /etc/pam.d/cockpit instead of /etc/pam.d/system-auth (or the equivalent Debian/Ubuntu file).

@martinpitt martinpitt changed the title [Feature Request] Two Factor Authentication GUI setup of two factor authentication May 25, 2021
@Justinzobel
Copy link
Author

A GUI setup would be nice to add. So I can log in to cockpit once my server is up, enable 2FA and get a QR code to scan on the web page without having to touch a terminal.

@BijSven
Copy link

BijSven commented Mar 24, 2023

Is this feature coming?

@jelly
Copy link
Member

jelly commented Mar 24, 2023

The Cockpit Team is not actively working on this feature, we welcome anyone to contribute this feature. So if you have any questions feel free to ask them.

@brolifen
Copy link

I hope someone picks this up as cyber security is no joke. A lot of people that use cockpit have limited Linux knowledge in the first place, so to provide this as an out of box UI option would not only make cockpit more secure but would secure a lot of environments with limited Linux skill sets.

@poVoq
Copy link

poVoq commented Jun 26, 2023

Looks like this was implemented for the nethserver fork: https://community.nethserver.org/t/2fa-or-two-factor-authentication-with-cockpit/14172

Would be cool if that could be back-ported to vanilla cockpit.

@jelly
Copy link
Member

jelly commented Jul 3, 2023

Looks like this was implemented for the nethserver fork: https://community.nethserver.org/t/2fa-or-two-factor-authentication-with-cockpit/14172

Would be cool if that could be back-ported to vanilla cockpit.

If you use 2FA with Cockpit via PAM I believe this should just work out of the box. Having this documented might be nice.

@brolifen
Copy link

brolifen commented Aug 21, 2023
edited

Looks like this was implemented for the nethserver fork: https://community.nethserver.org/t/2fa-or-two-factor-authentication-with-cockpit/14172
Would be cool if that could be back-ported to vanilla cockpit.

If you use 2FA with Cockpit via PAM I believe this should just work out of the box. Having this documented might be nice.

It does indeed work but a GUI option would be very nice. For the people that come across this issue and want to enable MFA right now here is a one liner:

sudo dnf install google-authenticator qrencode-libs -y;google-authenticator -t -d -f -r 3 -R 30 -W -Q UTF8; sudo bash -c 'echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/cockpit';sudo systemctl restart cockpit;

Please someone make this a GUI option

@JaneX8
Copy link

JaneX8 commented Jan 15, 2024

It does indeed work but a GUI option would be very nice. For the people that come across this issue and want to enable MFA right now here is a one liner:

sudo dnf install google-authenticator qrencode-libs -y;google-authenticator -t -d -f -r 3 -R 30 -W -Q UTF8; sudo bash -c 'echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/cockpit';sudo systemctl restart cockpit;

Please someone make this a GUI option

I agree that a GUI option is needed and thanks for pointing out this config file. However, why are you using nullok in the end? Doesn't that mean if no config, ignore this PAM module, so perhaps accidentally bypassing 2FA? I think it is safer to use auth required pam_google_authenticator.so (without nullok) instead. Or am I missing something?

@shr0048
Copy link

shr0048 commented Feb 9, 2024
edited

@JaneX8

Great guide for who need 2-fa auth!

Here for Debian / Ubuntu users version

sudo apt-get install libpam-google-authenticator libqrencode-dev -y

google-authenticator -t -d -f -r 3 -R 30 -W -Q UTF8

sudo bash -c 'echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/cockpit'

sudo systemctl restart cockpit

save back-up code and emergency scratch codes somewhere safe!

  • I think nullok option is not that strange option in this case, It guarantees security and flexibility to users, (if google-authenticator works properly, 2FA will be applied, and if google-authenticator does not work properly, 1FA will be applied)

@jelly jelly mentioned this issue Apr 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@jelly @martinpitt @poVoq @Justinzobel @JaneX8 @KKoukiou @brolifen @shr0048 @BijSven