Enable 2FA authentication for XRDP for remote access on SLES 15 with Google Authenticator PAM module
This document (000020659) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Desktop 15 SP3
This document details how to enable two factor authentication (2FA) for XRDP for remote access on SLES 15 SP3 using Google Authenticator.
At the end of the procedure it should be possible to use a mobile phone app as Authy or Google Authenticator to provide a second factor Time-based one-time password (TOTP) when remotely logging in to a SLES 15 SP3 or SLED 15 SP3 with any RDP client.
Important notice: google-authenticator-libpam and qrencode packages come from SUSE PackageHub. SUSE does not provide any support, assistance or guarantees with regard to the software provided by the packages. While the packages from the SUSE PackageHub are not officially supported by SUSE, SUSE Linux Enterprise Server remains supported and supportable when using these packages.
- A mobile phone with the Authy app or Google Authenticator installed.
- A SLES 15 SP3 system with GUI installed.
- XRDP service installed and started.
- Firewall configured to permit access on port 3389/TCP (RDP).
ConfigurationEnable and start chronyd:
systemctl enable --now chronyd.service
Enable SUSE PackageHub repository:
SUSEConnect -p PackageHub/15.3/x86_64Install google-authenticator-libpam and qrencode packages:
zypper install google-authenticator-libpam zypper install qrencodeCreate two new files in /etc/pam.d/, /etc/pam.d/password-auth-ga and /etc/pam.d/gdm-password-ga with the following content:
/etc/pam.d/password-auth-ga #%PAM-1.0 # auth required pam_env.so auth optional pam_gnome_keyring.so auth required pam_unix.so nullok use_first_pass auth sufficient pam_sss.so use_first_pass /etc/pam.d/gdm-password-ga #%PAM-1.0 # GDM PAM standard configuration (with passwords) auth required pam_google_authenticator.so forward_pass auth requisite pam_nologin.so auth include common-auth auth substack password-auth-ga session required pam_loginuid.so account include common-account password include common-password session include common-sessionEdit /etc/pam.d/xrdp-sesman commenting out:
#auth include common-auth...and add a new entry:
auth include gdm-password-gaExample of /etc/pam.d/xrdp-sesman file configuration:
/etc/pam.d/xrdp-sesman #%PAM-1.0 #auth include common-auth auth include gdm-password-ga account include common-account session include common-session session optional pam_keyinit.so force revoke session required pam_loginuid.so password include common-passwordLog in into the system with the user you want to enable 2FA for, and in a terminal run this command:
google-authenticator -t -D -W -r 3 -R 30The options can be customized according to the needs:
-t, --time-based Set up time-based (TOTP) verification -D, --allow-reuse Allow reuse of previously used TOTP tokens -W, --minimal-window Disable window of concurrently valid codes -r, --rate-limit=N Limit logins to N per every M seconds -R, --rate-time=M Limit logins to N per every M seconds
#auth include gdm-password-gaand enable:
auth include common-auth
/etc/pam.d/xrdp-sesman #%PAM-1.0 auth include common-auth #auth include gdm-password-ga account include common-account session include common-session session optional pam_keyinit.so force revoke session required pam_loginuid.so password include common-password
Google Authenticator PAM module - https://github.com/google/google-authenticator-libpam
Authy or Google Authenticator for 2FA with XRDP - https://github.com/neutrinolabs/xrdp/wiki/Using-Authy-or-Google-Authenticator-for-2FA-with-XRDP#appendix---google-authenticator-options
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020659
- Creation Date: 14-Sep-2022
- Modified Date:14-Sep-2022
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com