Fedora Cockpit two factor authentication (2FA)

Recent versions of Fedora include a great management interface, called Cockpit. If you don’t know it, check it out here: https://fedoramagazine.org/cockpit-overview/

cockpit login screen

Of course, authentication for a management interface should never be just a username and password, so I wanted to add a second factor using TOTP. Using Google authenticator, this is fairly easy to do.

First, install the google-authenticator package:

sudo dnf install google-authenticator

Second, logged in to your regular user account (!), run google-authenticator to generate a secret key and have it configure the ~/.google-authenticator file.

google-authenticator

Simply scan the QR code, or enter the secret key directly in your favorite TOTP app, for instance Google Authenticator (https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2).

Third, you need to update PAM, so it will use the google-authenticator module for Cockpit.

Edit the file /etc/pam.d/cockpit. I use nano for this:

sudo nano /etc/pam.d/cockpit

At the bottom of that file, add the following two lines:

# TOTP using google-authenticator
auth required pam_google_authenticator.so
Save the file 😉
Now restart Cockpit…
sudo systemctl restart cockpit
…and access the Cockpit login screen at https://your.server.tld:9090
It will first ask for your credentials, as usual. When you enter them correctly, it will ask for a “verification code”. Use the TOTP code from your app, and if everything works, you’re in 🙂