By configuring the google-authenticator PAM module with sudo, you can force system users to have to authenticate with one-time passcode and their system password in order to use sudo.


The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM).

To set this up on CentOS7, we'll install the google-authenticator PAM module and update your server's PAM configuration.

First, install the tools required to build the google-authenticator PAM module.

# yum install -y git autoconf automake make libtool pam-devel

Clone the google-authenticator git repo, build and install the plugin.

# git clone
# cd google-authenticator/libpam
# ./
# ./configure
# make
# make install

This will install the google-authenticator binary and the PAM module under /usr/local.

Before continuing, login as root and do not exit from this login whilst making changes to your system. A mistake could lock you out from your root account.

Add to /etc/pam.d/sudo.

auth       required     /usr/local/lib/security/ forward_pass nullok
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional revoke
session    required

Its important that the path used to define is correct or else PAM may not be able to find and sudo will log an error.

Dec 21 09:25:34 server sudo: PAM unable to dlopen(/usr/lib64/security/ /usr/lib64/security/ cannot open shared object file: No such file or directory
Dec 21 09:25:34 server sudo: PAM adding faulty module: /usr/lib64/security/

It is also important that the is found before the 'auth include system-auth' line within /etc/pam.d/sudo.

Any user who will need to use sudo now needs to setup their secret key and google-authenticator settings which live in ~/.google_authenticator by simply running the google-authenticator binary on the server. They will be shown a QRCode that can be scanned into their two-factor authentication mobile app such as Authy or Google Authenticator.

Next time the user uses sudo, they will be asked for their system password and one-time passcode.

Once all your users who use sudo have setup their google-authenticator secret key, you should remove nullok from /etc/pam.d/sudo.


comments powered by Disqus