Cover image from Data-Driven Security
Amazon Author Page

3 Comments Securing ‘su’ with Google Authenticator

  1. Hadreta

    I would actually do it the other way around — lock totally su for any other user than root and secure sudo with Google Authenticator (:

  2. armedengineer

    Hadreta, I’d agree with you, but the Google Authenticator configuration is viewable and configurable by users once they’re logged into their accounts. Securing sudo with Google Authenticator could be easily sidestepped by a simple ‘cat ~/.google_authenticator’ without some modification.

  3. Troy

    I put this in /etc/pam.d/common-auth so it affects SSH, su, and most other services. I can’t say whether it works for all PAM clients, but it does for both SSH and su.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.