Linux two step authentication with PAM and Google Authenticator


Recommended Posts

We can already use two step authentication in GMail with the Google Authenticator Android app. The idea is creating a secret key shared between the service and the Android app, so every 30 seconds we get a randomly generated token on Android that must be provided to login in addition to the password. That token is only valid in that 30s time frame.

brm_4Z4HD6ei29Fnai7OhIUP9DwpBTHW1C7hb05LukZU-lbP8ALtvvq_dQ5lIc-_YAlS

Since this provides a nice second security layer to our logins, why don't take advantage of it also in our Linux box?

We'll need two things to get started:

  • Install Google Authenticator on our Android, iOS or Blackberry phone (AFAIK it's not availabe for WP7, at least not yet).
  • Install the PAM on our Linux box

The first step is trivial, so we'll go for the second one.

If you are using Ubuntu you can install it straight from the repos:

sudo apt-get install libpam-google-authenticator[/CODE]

For other distros it might be also available on the repos, but if it isn't you can also get the PAM from the Google Code site.

Once we have that installed we will run this command with the user we want to use two step authentication with. If we want to use it for several users we will have to run it once with each of them, since it generates a unique secret key each time.

[CODE]google-authenticator[/CODE]

First thing we will see is a big QR code. Open your Google Authenticator app on the phone, hit the menu button and select "Scan barcode". Point the camera to the QR code on the screen and you'll get a new item on the Google Authenticator main screen with an ID for the user and computer and the generated token below, along with a counter showing how much time is left for the code to expire.

Right below the QR code we'll see something like this:

[CODE]Your new secret key is: [secret_key]
Your verification code is [verification_code]
Your emergency scratch codes are:
[code1]
[code2]
[code3]
[code4][/CODE]

Copy all this somewhere. The four "emergency scratch codes" will come handy if for whatever reason we lose or break our phone. They are one time codes that can be used instead of the tokens generated by Google Authenticator.

Next you'll be asked a few questions to configure some authentication details:

[CODE]Do you want me to update your "~/.google_authenticator" file (y/n)[/CODE]

Answer "y" here to get it configured.

[CODE]Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n)[/CODE]

If you'll need to login more than once every 30 seconds answer "n", else it's OK to answer "y".

[CODE]By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)[/CODE]

Unless your phone and PC clocks are severely desynchronized, it should be OK to answer "n" here.

[CODE]If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n)[/CODE]

It's a good idea to answer "y" here to prevent brute force attacks.

Up to this point we've just configured the tools we'll need to implement the two step authentication, without actually modifying anything in our login settings yet.

  Quote

The next steps in this howto will add the PAM to your login. Bear in mind that if you do anything wrong you might find yourself locked out of your box, and if your home folder is encrypted you'll be unable to access your data.

Even if that happens you can still fix it booting from a livecd and removing the PAM from the login, but just be aware of the potential problems.

We can add the PAM to several different login methods, we'll just see the two most interesting options:

[b]1.- The most interesting one: SSH logi[/b][b]n[/b]

Edit [i]/etc/pam.d/sshd [/i]and add this line at the bottom:

[CODE]auth required pam_google_authenticator.so[/CODE]

Edit [i]/etc/ssh/sshd_config [/i]and either modify (if it already exists) or add this line:

[CODE]ChallengeResponseAuthentication yes[/CODE]

Restart the sshd service (this works for Ubuntu, other distros might have a different way of handling services):

[CODE]sudo service ssh restart[/CODE]

Next time you ssh to the box you'll be prompted for both your password and your validation key.

This will only work if you aren't using certificates, else you'll be automatically logged in as usual.

[b]2.- A less interesting option: your local login[/b]

Depending on your distro you might be using a different login manager. Pick and edit the correct file among these (you'll likely only have one of them):

  • /etc/pam.d/gdm
  • /etc/pam.d/lightdm
  • /etc/pam.d/kdm

Add this line at the bottom:

[CODE]auth required pam_google_authenticator.so[/CODE]

That's it. Next time you login you'll be prompted for both your password first and then your verification key:

IMG_20120228_024150_s.jpg

Now, as a side note, why is this local login a "less interesting option"?

The two step authentication will keep users out of you box as long as they don't also have access to your phone, but you shouldn't forget that there's no way to really secure a box if the attacker has physical access to it.

The secret key is stored in your home folder. The attacker could boot your box from a livecd, get the key and generate his own tokens.

Then again same thing holds true for you user password so that's not to say that two step authentication is not secure, it's just that is has the same problems as any other login method when it comes with physically accessible machines.

This topic is now closed to further replies.
  • Posts

    • I am low-key enjoying the new start menu of 25H2 build. Looks like the management team who shoved the Recommended Section down our throats up till now got fired in recent gommage at MS. Also loving the 6Ghz Hotspot feature. I only enabled these 2 features and I am happy. I keep an eye on MDL forums for 26200.xxxx updates once a week to stay up to date manually. I downloaded the latest build from https://uupdump.net selected Dev Channel tab and downloaded amd64 build. Let the script ripp. Then I used vivetool to enable the above 2 features • 25H2 New Start Menu ViVeTool.exe /enable /id:47205210,49221331,49381526,49402389,49820095,55495322,48433719 • Enable Wifi 6Ghz Hotspot ViVeTool.exe /enable /id:40466470,48433719 Reboot and enjoy. Almost all the above info was provided by Neowin at some point.
    • Indeed, I do think its sad in some ways a corporation can never be content with "performing well across every metric" and having over £59 billion cash on hand.
    • They've been focusing on security and quality? Could have fooled me. Their own paying customers literally just got breached because they failed to push SharePoint updates downstream to on prem servers operating outside of their "365" ecosystem.
    • The animosity is unnecessary, when I opened the page I only saw one response which never mentioned your other steps, and when I hit reply it jumped straight to the bottom and again, I saw no other responses.  I was simply agreeing with the first comment that said yes, you should be fine if you erase its current operating system. Using another PC, or the copy of Windows that comes on that PC (former option is more trustworthy), download and run the Windows Media Creation tool.  It will walk you thru the process of downloading Windows and writing it to a USB stick.  It will even ask you at one point whether you're reinstalling it to the current machine or installing it on another machine. Then just boot the PC in question from that USB stick.  Usually spamming Esc, Del, F-8, F-9, F-10, F-11, F-12 or F-2 immediately after power on will bring up a boot menu, it varies by manufacturer.  If Windows starts booting you either missed your window or hit the wrong key. Follow the on-screen instructions.  When it gets to the disk formatting part I usually just delete all the partitions on the destination drive, then select the unpartitioned space as my destination.  The Windows installer will then automatically partition the drive as needed. Be prepared to download drivers from the PC manufacturer's website, they may not come bundled with Windows and you may not be able to use things like WiFi or ethernet until you have them.  They "might" work straight away, but they also might not.  Better to be prepared with a spare PC and a USB stick to transfer them over.
    • Wise Disk Cleaner 11.2.5 by Razvan Serea Wise Disk Cleaner is a free disk utility designed to help you keep your disk clean by deleting any unnecessary files. Usually, these unnecessary, or junk files appear as a result of program's incomplete uninstalls, or Temporary Internet Files. It is best if these files are wiped out from time to time, since they may, at some point, use a considerable amount of space on your drives. Wise Disk Cleaner, with its intuitive and easy to use interface, helps you quickly wipe out all the junk files. Using the program is indeed easy. It also works fast when both scanning for files and deleting files. The new Wise Disk Cleaner has more advantages: improved performance, better interface and scans/cleans more thoroughly. Wise Disk Cleaner Free provides lifetime free update service and Unlimited Free technical support. The first Slimming System software Wise Disk Cleaner is the first system slimming tool, which will help you to remove Windows useless files that you don't need, such as Korean IME, Windows Sample music, videos, pictures, Installers and Uninstallers of Updates Patches etc. Wise Disk Cleaner 11.2.5 Build 845 changelog: Added cleaning rules for Legacy Games Launcher, Letasoft Sound Booster, Macrium Reflect, MagicLine4NX, MAGIX Photostory, MakeHuman, Max Recorder, Maxprog iCash, Lexware, LG PC Suite, Lightworks, LINE, Listary, and LockHunter. Improved cleaning rules for Xunlei, PowerToys, Meitu, OneDrive, and Tencent Video. For security reasons, users can no longer delete the latest system restore point in the Restore Center. Enhanced System Slimming. Fixed minor bugs from the previous version. Download: Wise Disk Cleaner 11.2.5 | 6.9 MB (Freeware) Download: Portable Wise Disk Cleaner 11.2.5 | 7.3 MB View: Wise Disk Cleaner Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

    • One Month Later
      Philsl earned a badge
      One Month Later
    • One Year In
      armandointerior640 earned a badge
      One Year In
    • One Month Later
      armandointerior640 earned a badge
      One Month Later
    • One Month Later
      Itbob513626 earned a badge
      One Month Later
    • Week One Done
      Itbob513626 earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      615
    2. 2
      ATLien_0
      236
    3. 3
      Xenon
      156
    4. 4
      +FloatingFatMan
      122
    5. 5
      Michael Scrip
      116
  • Tell a friend

    Love Neowin? Tell a friend!