Page MenuHomePhabricator

Support for Two Factor Authentication for CLI access via Google Authenticator


Google Authenticator is a software token that implements two-step verification services using the Time-based One-time Password Algorithm (TOTP) and HMAC-based One-time Password Algorithm (HOTP), for authenticating users of mobile applications by Google. The service implements algorithms specified in RFC 6238 and RFC 4226, respectively.

On Linux-based systems Google Authenticator can be used to provide 2FA support via PAM and on Debian-based systems using the libpam-google-authenticator package.

2FA support would help VyOS meet security requirements for the use as critical infrastructure under emerging standards including NIST 800-171.


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close

Related Objects

Event Timeline

rps created this task.Oct 5 2018, 4:23 AM
rps added a comment.Oct 5 2018, 4:29 AM

May be duplicate of T483

syncer triaged this task as Low priority.Oct 7 2018, 2:21 AM

Having lifted the hood and bent a few rules....


deb squeeze main
deb squeeze-lts main

to /etc/apt/sources.list

apt-get install libqrencode3

Then runs without issue.

I then have to wget a package as google-authenticator doesnt exist in squeeze


and dpkg -i the libpam.... package

This installed on 1.1.8 without issue or warning.

I then added "auth required" to the end of /etc/pam,d/sshd

i then modified /etc/ssh/sshd_config to have "ChallengeResponseAuthentication No " --> Yes

su'ing to the user created by vyos "set system login user XXXX etc.."
and running the google-authenticator cli script, creates the appropriate .google-authenticator in the /home/USER directory and SSH MFA login then proceeds.

So how do i do this officially? Or get the work done for this to be official?

c-po added a subscriber: c-po.Nov 28 2018, 7:17 AM

What do you propose as CLI syntax?

So exploring some wider thoughts.

My current configuration is for 2FA for all users, and if they haven't configured the google-authenticator they fail.

So we would need a "Apply 2FA to THESE specific users" feature as well.

pam_listfile can do this, by being a filter to what users a pam configuration apply to.

So you "enable" a system login user for MFA, which should add their username to the textfile pam_listfile listens to.
You then "enable a MFA provider" (in our case on google authenticator as a first option)

This would add the pam configuration lines for sshd

so /etc/pam.d/sshd would look like:

auth requisite item=user sense=allow file=/etc/mfausers
auth sufficient
auth required

may also just need to append 'nullok' to pam gauth line config which allows unset up users to login still. May need a config option of 'enforcing' & 'allowing' to control this.

ideas for cli:

'set system login user USERNAME authentication mfa enable'

For google-authenticator you could have admin's pre generate the keys and supply them ssh rsa key style:

'set system login user USERNAME authentication mfa gauth key ksj3hdd3fksjdhf8'
This by default needs to be in ~/.google-authenticator

But you can use a secret=/path/to/user/gauth-key-file in the pam module, and put these key files anywhere. e.g "auth required secret=/config/auth/ovpn/gauth/${USER}"

then to make a service MFA enabled:
set service ssh mfa enable
set service ssh mfa provider 'google-authenticator'

For OpenVPN it would hide out in the interfaces branch:
set openvpn vtun# mfa enable
set openvpn vtun# mfa provider 'google-authenticator'

pasik added a subscriber: pasik.Mar 12 2019, 6:09 PM
syncer assigned this task to hagbard.Apr 18 2019, 12:20 AM
syncer raised the priority of this task from Low to Normal.