Page MenuHomeVyOS Platform

Support for Two Factor Authentication for CLI access via Google Authenticator/OTP
Closed, ResolvedPublicFEATURE REQUEST


Google Authenticator is a software token that implements two-step verification services using the Time-based One-time Password Algorithm (TOTP) and HMAC-based One-time Password Algorithm (HOTP), for authenticating users of mobile applications by Google. The service implements algorithms specified in RFC 6238 and RFC 4226, respectively.

On Linux-based systems Google Authenticator can be used to provide 2FA support via PAM and on Debian-based systems using the libpam-google-authenticator package.

2FA support would help VyOS meet security requirements for the use as critical infrastructure under emerging standards including NIST 800-171.


Difficulty level
Normal (likely a few hours)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Unspecified (please specify)

Event Timeline

syncer triaged this task as Low priority.Oct 7 2018, 2:21 AM

Having lifted the hood and bent a few rules....


deb squeeze main
deb squeeze-lts main

to /etc/apt/sources.list

apt-get install libqrencode3

Then runs without issue.

I then have to wget a package as google-authenticator doesnt exist in squeeze


and dpkg -i the libpam.... package

This installed on 1.1.8 without issue or warning.

I then added "auth required" to the end of /etc/pam,d/sshd

i then modified /etc/ssh/sshd_config to have "ChallengeResponseAuthentication No " --> Yes

su'ing to the user created by vyos "set system login user XXXX etc.."
and running the google-authenticator cli script, creates the appropriate .google-authenticator in the /home/USER directory and SSH MFA login then proceeds.

MFA ssh login.PNG (272×704 px, 15 KB)

So how do i do this officially? Or get the work done for this to be official?

What do you propose as CLI syntax?

So exploring some wider thoughts.

My current configuration is for 2FA for all users, and if they haven't configured the google-authenticator they fail.

So we would need a "Apply 2FA to THESE specific users" feature as well.

pam_listfile can do this, by being a filter to what users a pam configuration apply to.

So you "enable" a system login user for MFA, which should add their username to the textfile pam_listfile listens to.
You then "enable a MFA provider" (in our case on google authenticator as a first option)

This would add the pam configuration lines for sshd

so /etc/pam.d/sshd would look like:

auth requisite item=user sense=allow file=/etc/mfausers
auth sufficient
auth required

may also just need to append 'nullok' to pam gauth line config which allows unset up users to login still. May need a config option of 'enforcing' & 'allowing' to control this.

ideas for cli:

'set system login user USERNAME authentication mfa enable'

For google-authenticator you could have admin's pre generate the keys and supply them ssh rsa key style:

'set system login user USERNAME authentication mfa gauth key ksj3hdd3fksjdhf8'
This by default needs to be in ~/.google-authenticator

But you can use a secret=/path/to/user/gauth-key-file in the pam module, and put these key files anywhere. e.g "auth required secret=/config/auth/ovpn/gauth/${USER}"

then to make a service MFA enabled:
set service ssh mfa enable
set service ssh mfa provider 'google-authenticator'

For OpenVPN it would hide out in the interfaces branch:
set openvpn vtun# mfa enable
set openvpn vtun# mfa provider 'google-authenticator'

syncer raised the priority of this task from Low to Normal.
hagbard added a subscriber: hagbard.
dmbaturin edited projects, added VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus.
dmbaturin changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
dmbaturin set Is it a breaking change? to Perfectly compatible.
dmbaturin added a subscriber: carl.byington.
Unknown Object (User) claimed this task.Sep 10 2022, 1:54 AM
Unknown Object (User) added a comment.Sep 10 2022, 1:57 AM

First we need to include the "google-authenticator" in our build

Unknown Object (User) added a comment.EditedSep 15 2022, 5:57 AM

PR adding libpam-google-authenticator package to VyOS:

CLI commands are being worked on now to support 2FA system login

dmbaturin renamed this task from Support for Two Factor Authentication for CLI access via Google Authenticator to Support for Two Factor Authentication for CLI access via Google Authenticator/OTP.Fri, Apr 12, 3:33 PM
dmbaturin closed this task as Resolved.
dmbaturin reassigned this task from Unknown Object (User) to vadmin.
dmbaturin set Issue type to Unspecified (please specify).
dmbaturin added a subscriber: Unknown Object (User).