Would like to ask, particularly those who run large environments with lots of users, if there are any standardized- or industry-recommended ways to securely distribute the verification codes to remote users and/or force the user to rerun google-authenticator the very first time they log in via ssh to a Linux host that is configured with the libpam module requiring a user to enter the unix password plus the verification code every time they log in over ssh? Assuming the system administrator sets up the account, is there a way to either;
(a) not require google-authenticator the first time they log in, and force them to run it so that they can securely retrieve their verification code -or- (b) the system administrator runs it for them as part of creating the account, and securely (and easily, given there may be a lot of users) distributes the code plus the unix password to the user?
Note that a system admin can use the "chage" command to force a user to change their unix password the first time they log in.
Am interested in all practical solutions to this, particularly those that are implemented successfully in large environments. How do you get the two-factor codes to new users? Send it via txt message to their cell phones? Write it on pieces of paper and hand it to them? ....?
As far as I know, there is no industry standard in regard to google 2fa.
If you have a configuration management solution, you can use it to deploy google 2fa to all your users.
I had the same need as yours, in my case I wrote an Ansible module which installs, configures and displays the emergency keys to the user, expecting the user to be responsible enough to write them down for themselves.
The module also creates a user called "rescue" which can always access the machine.
With a little addition to the module you can make the module export each users emergency keys to some shared network drive which you will manage/backup.
I'm not sure that this is the full answer for you but take a look at my module.
I'm not aware of any publicly available solutions (opensource or otherwise) to distribute keys to local systems. I've done it these two ways.
1) FreeIPA (Redhat IDm)
If you have the option to use FreeIPA for your user management system, you can add TOTP/Google Authentication to all accounts, manage what systems require 2FA with HBAC.
2) Internal application written by developers
In one case, we centrally stored the BASE32 secrets in a SQL Database (with 2016 encryption) and distributed these keys to gateway authentication servers (radius). These servers each have an agent that pulls keys from an API endpoint and writes them to a specific folder. Our internal application is also used for other employee information so that is where we expose their QR codes. We do not use google-auth for the code generation, just the pam module itself.
We also did not write the one-time use keys as these keys would not actually be one time use, and the redistribution of these files would prevent those keys from rotating.
Also take into account local file permissions, service users and selinux, do not run pam as root.