Learn how to use any rfc6238 compliant token generator, e.g. Google or Microsoft authenticator

To change between the different two-factor-authentication methods, you must open the configuration file locate on your rport server at /etc/rport/rportd.conf with a text editor.

Scroll down and look for the examples of TOTP. Remove the comment (hash) signs so your configuration looks like the sample below:

  ## To enable time-based onetime tokens generated by apps likes Google or Microsoft Authenticator,
  ## set 'totp_enabled = true'.
  ## Your user-password store (json files or DB table) needs an additional text field 'totp_secret'.
  totp_enabled = true
  ## Learn more on
  ## Before sending the token generated by the authenticator app,
  ## users should do a login attempt. Otherwise thye can request tokens directly without login.
  ## 'totp_login_session_ttl' sets the timeout after which totp codes won't be accepted
  totp_login_session_ttl = '600s'
  ## If you run multiple RPort servers, you should give them different totp account names
  ## to differentiate them on your authenticator app.
  totp_account_name = 'RPort'

👉 Very likely, you will have some other 2fa default method enabled. You must disable it. Look for the line two_fa_token_delivery = 'smtp' or two_fa_token_delivery = '/usr/local/bin/'. Put a comment (hash sign) at the beginning of the line to disable it.

After having done the changes, restart the rport server by executing systemctl restart rportd.

Now open the user interface in your browser and login in with username and password. You will be prompted to scan the QR code with your authenticator app, or you can copy the secret to your desktop app. The secret is displayed just once.

From now on, you must always enter your username, the password and a token generated by the authenticator app.

Last updated