tpotce/bin/2fa.sh

#!/bin/bash

# Make sure script is started as non-root.
myWHOAMI=$(whoami)
if [ "$myWHOAMI" = "root" ]
  then
    echo "Need to run as non-root ..."
    echo ""
    exit
fi

# set vars, check deps
myPAM_COCKPIT_FILE="/etc/pam.d/cockpit"
if ! [ -s "$myPAM_COCKPIT_FILE" ];
  then
    echo "### Cockpit PAM module config does not exist. Something went wrong."
    echo ""
    exit 1
fi
myPAM_COCKPIT_GA="

# google authenticator for two-factor
auth required pam_google_authenticator.so
"
myAUTHENTICATOR=$(which google-authenticator)
if [ "$myAUTHENTICATOR" == "" ];
  then
    echo "### Could not locate google-authenticator, trying to install (if asked provide root password)."
    echo ""
    sudo apt-get update
    sudo apt-get install -y libpam-google-authenticator
    exec "$1" "$2"    
    exit 1
fi


# write PAM changes 
function fuWRITE_PAM_CHANGES {
  myCHECK=$(cat $myPAM_COCKPIT_FILE | grep -c "google")
  if ! [ "$myCHECK" == "0" ];
    then
      echo "### PAM config already enabled. Skipped."
      echo ""
    else
      echo "### Updating PAM config for Cockpit (if asked provide root password)."
      echo "$myPAM_COCKPIT_GA" | sudo tee -a $myPAM_COCKPIT_FILE
      sudo systemctl restart cockpit
  fi
}

# create 2fa
function fuGEN_TOKEN {
  echo "### Now generating token for Google Authenticator."
  echo ""
  google-authenticator -t -d -r 3 -R 30 -w 17
}


# main
echo "### This script will enable Two Factor Authentication for Cockpit."
echo ""
echo "### Please download one of the many authenticator apps from the appstore of your choice."
echo ""
while true;
  do
    read -p "### Ready to start (y/n)? " myANSWER
    case $myANSWER in
      [Yy]* ) echo "### OK. Starting ..."; break;;
      [Nn]* ) echo "### Exiting."; exit;;
    esac
done

fuWRITE_PAM_CHANGES
fuGEN_TOKEN

echo "Done. Re-run this script by every user who needs Cockpit access."
echo ""