Recent versions of Fedora include a great management interface, called Cockpit. If you don’t know it, check it out here: https://fedoramagazine.org/cockpit-overview/
Of course, authentication for a management interface should never be just a username and password, so I wanted to add a second factor using TOTP. Using Google authenticator, this is fairly easy to do.
First, install the google-authenticator package:
sudo dnf install google-authenticator
Second, logged in to your regular user account (!), run google-authenticator to generate a secret key and have it configure the ~/.google-authenticator file.
Simply scan the QR code, or enter the secret key directly in your favorite TOTP app, for instance Google Authenticator (https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2).
Third, you need to update PAM, so it will use the google-authenticator module for Cockpit.
Edit the file /etc/pam.d/cockpit. I use nano for this:
sudo nano /etc/pam.d/cockpit
At the bottom of that file, add the following two lines:
# TOTP using google-authenticator auth required pam_google_authenticator.so
sudo systemctl restart cockpit
It will first ask for your credentials, as usual. When you enter them correctly, it will ask for a “verification code”. Use the TOTP code from your app, and if everything works, you’re in 🙂