sudo with MFA

sudo with MFA lets you run sudo commands in Websh terminal sessions without permanent sudo privilege. When you enter a sudo command, MFA verification is required before the command executes.

Requirements

• Alpamon 1.3.2 or later installed on the target server
• sudo with MFA enabled in workspace access control settings (this automatically installs the required PAM module on servers)

Enable sudo with MFA

1. Go to Workspace settings > Access control
2. Enable Use sudo with MFA
3. The PAM module is automatically installed on servers running Alpamon 1.3.2+

Note: Enabling sudo with MFA requires superuser privileges. Staff users can use sudo with MFA after it is enabled but cannot change this setting.

Note: sudo with MFA works independently from the Allow direct root access setting. Even when direct root access is disabled, users can still run sudo commands through sudo with MFA.

How it works

Staff and superuser

1. Enter a sudo command in a Websh terminal session (e.g., sudo systemctl restart nginx)
2. On the first sudo command, MFA verification is required
3. After completing MFA, the command executes
4. Subsequent sudo commands do not require MFA again until the MFA timeout expires
5. The MFA timeout duration follows the user’s configured setting—see Security settings

Regular members

Approval-based sudo for regular members (below staff) is coming soon.

Related docs

• Run commands
• Account selection
• Workspace settings