Lately, I decided to harden security a bit. This included securing my rstudio server (open source) with one-time passwords.
Two-factor authentication (or multi-factor authentication) is when you use a username, password, and another means of authentication, mainly a one-time password that’s generated and sent via SMS or email or, in this case, created by an authentication app. In this case, I will demonstrate how to enable OTP on the rstudio server login.
At the moment of writing these lines, some posts deal with this here, and here; however, none of them worked for me. The latter did lead me in the right direction, so here is the setup I used to enable the OTP on rstudio server.
The following assumes you have an rstudio server running on linux, with
google-authenticator is an authentication module that’s installed on linux (not to be confused the android app that goes by a similar name). Installing it is the first step:
sudo apt install libpam-google-authenticator
This module integrates into linux’s PAM (pluggable authentication modules).
Now, log into rstudio as you would regularly and in the terminal run:
This will yield a series of questions and set-up steps, i.e.:
Confirm using time-based tokens
Scan the QR-code into your preferred authentication app (e.g., google authenticator for Android)
Copy your emergency codes for backup
I also disallowed multiple logins,
Permitted time skews; and
Limited login attempts against brute force attacks).
Edit the rstudio authentication profile
The next step is to edit the authentication profile for rstudio. Inside linux command line (as sudo) run the following code:
sudo nano /etc/pam.d/rstudio, and paste the following:
auth required pam_google_authenticator.so @include common-account @include common-session
Now, edit another rstudio server file using:
/etc/rstudio/rserver.conf and paste the following:
Save and close the file.
Restart your rstudio server using
sudo systemctl restart rstudio-server.service.
Check that everything works
Go to your rstudio server login page and enter your user name. In the password text box enter the code shown on your authentication app. It should be able to log you in.