May 4, 2024

Enabling MFA/2FA/OTP for sudo on your Linux servers

In today’s digital landscape, where cyber threats loom large, safeguarding sensitive data and systems is paramount. Linux servers, often the backbone of many operations, require robust security measures to thwart unauthorized access. One effective way to bolster security is by implementing Multi-Factor Authentication (MFA), also known as Two-Factor Authentication (2FA), or One-Time Password (OTP) for the ‘sudo’ command, granting elevated privileges.

Why is MFA/2FA/OTP Crucial for Sudo?

The ‘sudo’ command grants users administrative privileges on Linux systems, allowing them to execute commands with elevated permissions. However, relying solely on passwords for sudo access poses significant security risks. Passwords can be compromised through various means like phishing attacks, brute-force attempts, or data breaches. Once attackers obtain sudo access, they can wreak havoc on servers, compromising data integrity and system functionality.

Implementing MFA/2FA/OTP adds an extra layer of security, requiring users to provide additional authentication factors beyond passwords. This additional step makes it exponentially harder for unauthorized users to gain sudo access, even if they manage to steal or crack passwords. MFA/2FA/OTP typically involves something the user knows (password) combined with something they have (e.g., smartphone or hardware token), significantly reducing the risk of unauthorized access.

How to Enable MFA/2FA/OTP for Sudo on Linux Servers with Google Authenticator

Enabling MFA/2FA/OTP for sudo on Linux servers is a proactive step towards fortifying your server’s security posture. Here’s a step-by-step guide to get you started for Red Hat Enterprise Servers, and those derivatives such as Rocky Linux, Alma Linux, CentOS, and more:

  1. Install the Google Authenticator package:
sudo yum install -y epel-release
sudo yum install -y google-authenticator
  1. Configure Google Authenticator for your user account. Make sure you have the Google Authenticator app downloaded onto your iOS or Android device first:
google-authenticator
  1. Finally, configure the pam.d module for sudo to require your verification code whenever Google Authenticator-enabled users (only you at the moment) use the sudo command. In the file /etc/pam.d/sudo, add this line to the top:
    • Note: Just in case you mess this up, you should have another session open where you’ve already switched into the root user.
auth required pam_google_authenticator.so nullok

How to Level Up Your Security Using this Method

Congrats, you just enhanced your security on one server! You can do this on other servers too, but here’s some tips and tricks:

  • Since your Google Authenticator configuration exists in your home directory for your user, you can deploy a shared home directory across all of your servers. This will let you use your Google Authenticator code on all servers
  • Use Ansible to configure your servers with identical settings for /etc/pam.d/sudo and your shared home directory
  • If using Active Directory, configure SSSD to allow for AD authentication across servers
  • Instead of adding AD users to the wheel group, add an AD group to /etc/sudoers.d/ad-sudoer

Implementing MFA/2FA/OTP for sudo on Linux servers is a proactive measure to enhance security and mitigate the risk of unauthorized access. By adding an extra layer of authentication, organizations can significantly bolster their server’s defenses against cyber threats. Remember, security is a continuous process, so stay vigilant, keep systems updated, and adapt security measures to evolving threats. Strengthen your server’s security posture today by embracing MFA/2FA/OTP for sudo access.