forked into the Qubes official documentation with the help of @deeplow, here: https://www.qubes-os.org/doc/mfa/
To add two-factor authentication to the PAM script, you can use the pam_google_authenticator
module, which implements the Time-based One-Time Password (TOTP) algorithm, also in the /etc/pam.d/xscreensaver
file in dom0.
To set up two-factor authentication for the xscreensaver login:
sudo qubes-dom0-update google-authenticator
Y y n y | google-authenticator
#top of /etc/pam.d/xscreensaver
auth required pam_google_authenticator.so
#comment-out `auth include system-auth`
# as alternative: ooath-toolkit
Modify the PAM configuration for xscreensaver
to include pam_unix
and pam_google_authenticator
. Open a terminal in dom0 and run the following command to edit the /etc/pam.d/xscreensaver
file:
auth required pam_unix.so
auth required pam_google_authenticator.so
In the xscreensaver-demo
window, set the "Mode" to "One screen with password" and click "Advanced". In the "Advanced" window, set the "Authentication Program" to /usr/bin/xscreensaver-auth, and click "OK" to save the changes.
Lock the screen and enter your username, password, and the one-time code generated by the Google Authenticator app.
If you want to tweak xscreensaver
further, you can included pam_tty_audit
and pam_tally2
to setup a lockout policy, to prevent brute-force attacks, or add monitoring and record authentication events, respectively. The pam_unix module
is used to authenticate the user's password, and the pam_tally2
and pam_tty_audit
modules are added for lockout policy and auditing.
The pam_tally2
module will deny access after three failed login attempts and will unlock the account after 20 minutes (1200 seconds). The pam_tty_audit module will log all authentication events to the system log.
After you modify the PAM configuration file, you can save the changes and test the modified configuration by locking the screen and entering the password. Make sure that the changes are working as expected and that you can log in successfully.
auth required pam_unix.so
auth required pam_tally2.so deny=3 unlock_time=1200 audit
auth required pam_tty_audit.so enable=*