Enable 2FA authentication for XRDP for remote access on SLES 15 with Google Authenticator PAM module

This document (000020659) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Desktop 15 SP3

Situation

This document details how to enable two factor authentication (2FA) for XRDP for remote access on SLES 15 SP3 using Google Authenticator.

At the end of the procedure it should be possible to use a mobile phone app as Authy or Google Authenticator to provide a second factor Time-based one-time password (TOTP) when remotely logging in to a SLES 15 SP3 or SLED 15 SP3 with any RDP client.

Important notice: google-authenticator-libpam and qrencode packages come from SUSE PackageHub. SUSE does not provide any support, assistance or guarantees with regard to the software provided by the packages. While the packages from the SUSE PackageHub are not officially supported by SUSE, SUSE Linux Enterprise Server remains supported and supportable when using these packages.

Resolution

Pre-requisites

  • A mobile phone with the Authy app or Google Authenticator installed.
  • A SLES 15 SP3 system with GUI installed.
  • XRDP service installed and started.
  • Firewall configured to permit access on port 3389/TCP  (RDP).

Configuration

Enable and start chronyd:
systemctl enable --now chronyd.service
Enable SUSE PackageHub repository:
SUSEConnect -p PackageHub/15.3/x86_64
Install google-authenticator-libpam and qrencode packages:
zypper install google-authenticator-libpam
zypper install qrencode
Create two new files in /etc/pam.d//etc/pam.d/password-auth-ga and /etc/pam.d/gdm-password-ga with the following content:
/etc/pam.d/password-auth-ga
#%PAM-1.0
#
auth    required    pam_env.so
auth    optional    pam_gnome_keyring.so
auth    required    pam_unix.so nullok use_first_pass
auth    sufficient  pam_sss.so use_first_pass


/etc/pam.d/gdm-password-ga
#%PAM-1.0
# GDM PAM standard configuration (with passwords)
auth     required       pam_google_authenticator.so forward_pass
auth     requisite      pam_nologin.so
auth     include        common-auth
auth     substack       password-auth-ga
session  required       pam_loginuid.so
account  include        common-account
password include        common-password
session  include        common-session
Edit /etc/pam.d/xrdp-sesman commenting out:
#auth       include     common-auth
...and add a new entry:
auth        include     gdm-password-ga
Example of /etc/pam.d/xrdp-sesman file configuration: 
/etc/pam.d/xrdp-sesman
#%PAM-1.0
#auth       include     common-auth
auth        include     gdm-password-ga
account     include     common-account
session     include     common-session
session     optional    pam_keyinit.so force revoke
session     required    pam_loginuid.so
password    include     common-password
Log in into the system with the user you want to enable 2FA for, and in a terminal run this command:
google-authenticator -t -D -W -r 3 -R 30
The options can be customized according to the needs: 
-t, --time-based         Set up time-based (TOTP) verification
-D, --allow-reuse        Allow reuse of previously used TOTP tokens
-W, --minimal-window     Disable window of concurrently valid codes
-r, --rate-limit=N       Limit logins to N per every M seconds
-R, --rate-time=M        Limit logins to N per every M seconds
A link should display the QR code that can be scanned with Authy or Google Auth app for generating the Time-based one-time password (TOTP).
 
Once the changes are made it should be possible to login over XRDP with any RDP client (KRDC, Remmina.. ) with username and the combination passwordTOTP in the login screen.

Additional Information

To disable 2FA with XRP edit /etc/pam.d/xrdp-sesman and comment out/delete: 
#auth include gdm-password-ga 
and enable:
auth include common-auth
Example of /etc/pam.d/xrdp-sesman file:
/etc/pam.d/xrdp-sesman #%PAM-1.0
auth       include     common-auth
#auth        include     gdm-password-ga
account     include     common-account
session     include     common-session
session     optional    pam_keyinit.so force revoke
session     required    pam_loginuid.so
password    include     common-password


References:

Google Authenticator PAM module - https://github.com/google/google-authenticator-libpam

Authy or Google Authenticator for 2FA with XRDP - https://github.com/neutrinolabs/xrdp/wiki/Using-Authy-or-Google-Authenticator-for-2FA-with-XRDP#appendix---google-authenticator-options

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020659
  • Creation Date: 14-Sep-2022
  • Modified Date:14-Sep-2022
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center