Using OTP (one-time passwords) in rstudio server open source

Background

Lately, I decided to harden security a bit. This included securing my rstudio server (open source version) with one-time passwords.

Two-factor authentication (or multi-factor authentication) is when you use a username, password, and another means of authentication, mainly a one-time password that’s generated and sent via SMS or email or, in this case, created by an authentication app. In this case, I will demonstrate how to enable OTP on the rstudio server login. I.e.: logining into rstudio server with a user name and a one-time password generated by an authentication app.

At the moment of writing these lines, some posts deal with this kind of set-up, i.e.: here, and here; however, none of them worked for me. The latter did lead me in the right direction but it’s missing a crucial step. Here is the setup I used to enable the OTP on rstudio server.

The following assumes you have an rstudio server running on linux, with sudo privileges.

Installing google-authenticator

The google-authenticator is an authentication module that’s installed on linux (not to be confused the android app that goes by a similar name). Installing it is the first step:

sudo apt install libpam-google-authenticator

This module integrates into linux’s PAM (pluggable authentication modules).

Now, log into rstudio as you would regularly and in the terminal run:

google-authenticator

This will yield a series of questions and set-up steps, i.e.:

• Confirm using time-based tokens

• Scan the QR-code into your preferred authentication app (e.g., google authenticator for Android)

• Copy your emergency codes for backup

• I also disallowed multiple logins,

• Permitted time skews; and

• Limited login attempts against brute force attacks).

Edit the rstudio authentication profile

The next step is to edit the authentication profile for rstudio. Inside linux command line (as sudo) run the following code: sudo nano /etc/pam.d/rstudio, and paste the following:

auth required pam_google_authenticator.so
@include common-account
@include common-session

Now, edit another rstudio server file using: /etc/rstudio/rserver.conf and paste the following:

auth-pam-require-password-prompt=0

Save and close the file.

Restart your rstudio server using sudo systemctl restart rstudio-server.service.

Check that everything works

Go to your rstudio server login page and enter your user name. In the password text box enter the code shown on your authentication app. You should be able to log in with the OTP generated by your authentication app.