You can set up 2FA with e.g. the PAM Google Authenticator (for a single machine) or centrally if you use identity, e.g. with FreeIPA. There should not be any workarounds necessary for Cockpit, it uses the normal global PAM authentication settings.

You can restrict 2FA to cockpit logins only if you configure it in /etc/pam.d/cockpit instead of /etc/pam.d/system-auth (or the equivalent Debian/Ubuntu file).

A GUI setup would be nice to add. So I can log in to cockpit once my server is up, enable 2FA and get a QR code to scan on the web page without having to touch a terminal.

Is this feature coming?

The Cockpit Team is not actively working on this feature, we welcome anyone to contribute this feature. So if you have any questions feel free to ask them.

I hope someone picks this up as cyber security is no joke. A lot of people that use cockpit have limited Linux knowledge in the first place, so to provide this as an out of box UI option would not only make cockpit more secure but would secure a lot of environments with limited Linux skill sets.

Looks like this was implemented for the nethserver fork: https://community.nethserver.org/t/2fa-or-two-factor-authentication-with-cockpit/14172

Would be cool if that could be back-ported to vanilla cockpit.

Looks like this was implemented for the nethserver fork: https://community.nethserver.org/t/2fa-or-two-factor-authentication-with-cockpit/14172

Would be cool if that could be back-ported to vanilla cockpit.

If you use 2FA with Cockpit via PAM I believe this should just work out of the box. Having this documented might be nice.

Looks like this was implemented for the nethserver fork: https://community.nethserver.org/t/2fa-or-two-factor-authentication-with-cockpit/14172
Would be cool if that could be back-ported to vanilla cockpit.

If you use 2FA with Cockpit via PAM I believe this should just work out of the box. Having this documented might be nice.

It does indeed work but a GUI option would be very nice. For the people that come across this issue and want to enable MFA right now here is a one liner:

sudo dnf install google-authenticator qrencode-libs -y;google-authenticator -t -d -f -r 3 -R 30 -W -Q UTF8; sudo bash -c 'echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/cockpit';sudo systemctl restart cockpit;

Please someone make this a GUI option

It does indeed work but a GUI option would be very nice. For the people that come across this issue and want to enable MFA right now here is a one liner:

sudo dnf install google-authenticator qrencode-libs -y;google-authenticator -t -d -f -r 3 -R 30 -W -Q UTF8; sudo bash -c 'echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/cockpit';sudo systemctl restart cockpit;

Please someone make this a GUI option

I agree that a GUI option is needed and thanks for pointing out this config file. However, why are you using nullok in the end? Doesn't that mean if no config, ignore this PAM module, so perhaps accidentally bypassing 2FA? I think it is safer to use auth required pam_google_authenticator.so (without nullok) instead. Or am I missing something?

@JaneX8

Great guide for who need 2-fa auth!

Here for Debian / Ubuntu users version

sudo apt-get install libpam-google-authenticator libqrencode-dev -y

google-authenticator -t -d -f -r 3 -R 30 -W -Q UTF8

sudo bash -c 'echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/cockpit'

sudo systemctl restart cockpit

save back-up code and emergency scratch codes somewhere safe!

• I think nullok option is not that strange option in this case, It guarantees security and flexibility to users, (if google-authenticator works properly, 2FA will be applied, and if google-authenticator does not work properly, 1FA will be applied)

Cockpit doesn't have native 2fa GUI or brute force protection? I'm scared

It has and it works great.

This topic is about making it easier to set up through the GUI.

hi, i installed today cockpit on debian 12, and want to enable 2fa, using this guide:

sudo apt-get install libpam-google-authenticator libqrencode-dev -y

google-authenticator -t -d -f -r 3 -R 30 -W -Q UTF8

sudo bash -c 'echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/cockpit'

sudo systemctl restart cockpit 

but 2fa code is not requested on login to non root users!, if i delete nullok from /etc/pam.d/cockpit 2fa login is requested on non root users, but OTP code is not valid, how i can enable 2fa authentication to another user that root? best regards

hi, i installed today cockpit on debian 12, and want to enable 2fa, using this guide:

sudo apt-get install libpam-google-authenticator libqrencode-dev -y

google-authenticator -t -d -f -r 3 -R 30 -W -Q UTF8

sudo bash -c 'echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/cockpit'

sudo systemctl restart cockpit 

but 2fa code is not requested on login to non root users!, if i delete nullok from /etc/pam.d/cockpit 2fa login is requested on non root users, but OTP code is not valid, how i can enable 2fa authentication to another user that root? best regards

This isn't related to getting 2FA added into the GUI. Please create a new issue.

I'd love to see a GUI to get this done.