Linux two step authentication with PAM and Google Authenticator


Recommended Posts

ichi

We can already use two step authentication in GMail with the Google Authenticator Android app. The idea is creating a secret key shared between the service and the Android app, so every 30 seconds we get a randomly generated token on Android that must be provided to login in addition to the password. That token is only valid in that 30s time frame.

brm_4Z4HD6ei29Fnai7OhIUP9DwpBTHW1C7hb05LukZU-lbP8ALtvvq_dQ5lIc-_YAlS

Since this provides a nice second security layer to our logins, why don't take advantage of it also in our Linux box?

We'll need two things to get started:

  • Install Google Authenticator on our Android, iOS or Blackberry phone (AFAIK it's not availabe for WP7, at least not yet).
  • Install the PAM on our Linux box

The first step is trivial, so we'll go for the second one.

If you are using Ubuntu you can install it straight from the repos:

sudo apt-get install libpam-google-authenticator[/CODE]

For other distros it might be also available on the repos, but if it isn't you can also get the PAM from the Google Code site.

Once we have that installed we will run this command with the user we want to use two step authentication with. If we want to use it for several users we will have to run it once with each of them, since it generates a unique secret key each time.

[CODE]google-authenticator[/CODE]

First thing we will see is a big QR code. Open your Google Authenticator app on the phone, hit the menu button and select "Scan barcode". Point the camera to the QR code on the screen and you'll get a new item on the Google Authenticator main screen with an ID for the user and computer and the generated token below, along with a counter showing how much time is left for the code to expire.

Right below the QR code we'll see something like this:

[CODE]Your new secret key is: [secret_key]
Your verification code is [verification_code]
Your emergency scratch codes are:
[code1]
[code2]
[code3]
[code4][/CODE]

Copy all this somewhere. The four "emergency scratch codes" will come handy if for whatever reason we lose or break our phone. They are one time codes that can be used instead of the tokens generated by Google Authenticator.

Next you'll be asked a few questions to configure some authentication details:

[CODE]Do you want me to update your "~/.google_authenticator" file (y/n)[/CODE]

Answer "y" here to get it configured.

[CODE]Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n)[/CODE]

If you'll need to login more than once every 30 seconds answer "n", else it's OK to answer "y".

[CODE]By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)[/CODE]

Unless your phone and PC clocks are severely desynchronized, it should be OK to answer "n" here.

[CODE]If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n)[/CODE]

It's a good idea to answer "y" here to prevent brute force attacks.

Up to this point we've just configured the tools we'll need to implement the two step authentication, without actually modifying anything in our login settings yet.

The next steps in this howto will add the PAM to your login. Bear in mind that if you do anything wrong you might find yourself locked out of your box, and if your home folder is encrypted you'll be unable to access your data.

Even if that happens you can still fix it booting from a livecd and removing the PAM from the login, but just be aware of the potential problems.

We can add the PAM to several different login methods, we'll just see the two most interesting options:

[b]1.- The most interesting one: SSH logi[/b][b]n[/b]

Edit [i]/etc/pam.d/sshd [/i]and add this line at the bottom:

[CODE]auth required pam_google_authenticator.so[/CODE]

Edit [i]/etc/ssh/sshd_config [/i]and either modify (if it already exists) or add this line:

[CODE]ChallengeResponseAuthentication yes[/CODE]

Restart the sshd service (this works for Ubuntu, other distros might have a different way of handling services):

[CODE]sudo service ssh restart[/CODE]

Next time you ssh to the box you'll be prompted for both your password and your validation key.

This will only work if you aren't using certificates, else you'll be automatically logged in as usual.

[b]2.- A less interesting option: your local login[/b]

Depending on your distro you might be using a different login manager. Pick and edit the correct file among these (you'll likely only have one of them):

  • /etc/pam.d/gdm
  • /etc/pam.d/lightdm
  • /etc/pam.d/kdm

Add this line at the bottom:

[CODE]auth required pam_google_authenticator.so[/CODE]

That's it. Next time you login you'll be prompted for both your password first and then your verification key:

IMG_20120228_024150_s.jpg

Now, as a side note, why is this local login a "less interesting option"?

The two step authentication will keep users out of you box as long as they don't also have access to your phone, but you shouldn't forget that there's no way to really secure a box if the attacker has physical access to it.

The secret key is stored in your home folder. The attacker could boot your box from a livecd, get the key and generate his own tokens.

Then again same thing holds true for you user password so that's not to say that two step authentication is not secure, it's just that is has the same problems as any other login method when it comes with physically accessible machines.

  • Like 1
Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By anmol112
      How to enable the refresh rate overlay on Android 11
      by Anmol Mehrotra



      The last couple of years have seen a rise of smartphones with high refresh rate displays as well as gaming focused smartphones. However, as high refresh rate displays use more battery, most manufacturers use adaptive refresh rate wherein the smartphone dynamically changes the refresh rate based on the content that is being displayed on the screen. If you are curious about your phone's refresh rate or want to track your refresh rate in real-time then you are in luck. With the introduction of Android 11, Google has added a new feature that lets you add a refresh rate overlay on the top of the screen.

      To use this feature, you will need an Android 11 smartphone and you can enable it by following the steps below:

      Open Settings and navigate to About Phone > Software information. Tap on the Build Number seven times or until you see a popup saying, “You’re now a developer”. Do note that the content of the popup could change based on the phone manufacturer. Once Developer mode is enabled, go back to Settings and scroll down to Developer options. Again, the placement of Developer options could change based on the manufacturer so if you are unable to find it then use the search bar on the top of the settings menu. Open Developer options and scroll down to the debugging section. Under this section look for the “Show refresh rate” option. Flip the toggle beside the option to turn it on and you should see your current refresh rate on the top left corner of the screen. The feature may look familiar to PC gamers who have similar option available from Nvidia as well as a host of other third-party services. Most smartphone manufacturers use adaptive refresh rate so you will see it fluctuate depending on the content. On my Galaxy S21, 60Hz refresh rate is shown in red text while 120Hz is shown in bright green text. The same will apply to all Android 11 smartphones with the lower refresh rate in red while the higher refresh rate will be shown in the green colour. With the feature enabled, you will be able to see refresh rate change in real-time.

      Utilizing this, you will be able to see what apps or games can take advantage of the high refresh rate display. A higher refresh rate will be beneficial for gamers as long as the game can run at high FPS (Frames Per Second). You can turn it on for a couple of days to test-drive the feature and if it gets boring or annoying then you can go back to the Developer options and disable it.

    • By Steven P.
      How to force News and Interests to use your default browser
      by Steven Parker



      Microsoft is going to start rolling out the News and Interests widget that appears in the Windows 10 task bar for everyone on version 1909 or later from next month's Patch Tuesday's update. Although we already have an article on how you can disable it if you think "this is not for me, be gone!", there are other people who love such things, like easy access to a customized feed of news and interests.

      However, the popup widget works like most other app links within Windows, it completely ignores default browser choice. In this article we are going to help you ensure that the links in the News and Interest widget open in your default browser.

      It requires a third party app called EdgeDeflector, so you have to be okay with installing that. I personally have used it for years when my default browser was Chrome.

      Download the latest EdgeDeflector_install.exe from the Releases page on GitHub, Install it by choosing Yes at the User Account Control prompt, Go to All settings > Apps > Default apps, Scroll to the bottom and click Choose default apps by protocol, Locate MICROSOFT-EDGE in the list and click on the program icon to the right of it, Select EdgeDeflector from the list. Confirm the change if asked to. The above process is also detailed here, which also lets you reverse the above steps, if needed.



      You can only select Microsoft Edge browser or EdgeDeflector for the MICROSOFT-EDGE protocol.



      Now, as can be seen above, whenever you click a link in the News and Interest widget it will open in your default browser. This is also the case for any other links throughout Windows 10, such as Windows features like the Cortana assistant and built-in help links that normally totally ignore your default browser choice.

      Just to be clear, you will not need all of the above if your default browser choice is already Edge, this is for people who prefer to use Chrome, Firefox, or some other browser like Opera, Brave or Vivaldi.

      To roll back, you just need to uninstall EdgeDeflector, but if you find that links suddenly no longer open at all, you will need to ensure that MICROSOFT-EDGE in Choose default apps by protocol is set back to Microsoft Edge.

    • By Namerah S
      How to view mobile version of websites on desktops
      by Namerah Saud Fatmi

      Visiting websites designed primarily for desktop viewing on phones is fairly straightforward thanks to web browsers on Android and iOS. Doing the opposite, however, can be a bit of a challenge. If you'd like to view the mobile version of a site on your desktop for whatever reason, we've got you covered.

      Here's a simple guide to show you how to view mobile versions of sites on desktops. This tutorial will work on Google Chrome and Microsoft Edge.

      Step 1: Open up the website on the desktop browser of your choice. We've chosen Chrome for this guide but Edge will do as well. Once the page has loaded, press F12 to toggle the developer tools.

      Step 2: Once the dev tools have opened up, find and locate the device toggle button that we've highlighted in the image below and click on it.

      Step 3: You can click on 'Responsive' to select the device that you want to simulate. A drop-down menu with several options to choose from will appear. Alternatively, you can also customize the resolution of the simulation to suit your needs.

      You can find sample mobile simulations of the same website on Chrome and Edge for your comparison in the below images.

      Google Chrome Microsoft Edge We hope you found this short guide easy to follow and helpful. If you have any questions or requests, let us know in the comments below!

    • By Namerah S
      How to enable the dark theme on Facebook desktop
      by Namerah Saud Fatmi

      Social media giant Facebook released dark mode for the desktop and iOS platforms in March last year. Even though testing of the Android version of the dark theme began earlier, general availability came out after the desktop and iOS versions.

      We have already done a tutorial to turn on dark mode on Android. Today's guide will walk you through the steps of toggling the desktop version of dark mode. Follow the below instructions to say hello to the dark side of Facebook on PCs.

      Step 1: Visit Facebook on your PC's web browser. Once open, locate the small arrow pointing downwards on the upper left corner of the dashboard and click on it.

      Step 2: After clicking on the little downwards-pointing arrow, a dropdown menu will pop up. Select the "Display & accessibility" option.

      Step 3: Clicking on the "Display & accessibility" option will take you to the dark mode feature. Simply click "on" to enable it.

      Here are some before and after screenshots to showcase the differences in theme on Facebook's desktop dark mode:

      With that, we conclude this short and easy tutorial to toggle the dark mode on Facebook on desktops. Happy browsing!

    • By Steven P.
      Turn off Topic Suggestions and Interests at Twitter with this handy script
      by Steven Parker



      One morning while checking out a link to a tweet directly on Twitter, it showed I had an unread notification, but this was not so on Tweeten. Intrigued, I went and had a look and saw that Twitter was suggesting for me to follow topics on "Manchester United FC"... huh? As a Portsmouth FC fan that follows the official club Twitter handle as well as several people affiliated with Pompey (including the owner of the club) it makes me wonder why Twitter is suggesting a football club I clearly have no interest in. In fact, the whole Topic Suggestions feature is annoying, I keep dismissing them and more come each day, whatever happened to just letting users sign up to lists or search for interests themselves?

      Topics initially launched back at the end of 2019 as a means to opt into topics of interest; it plugs into "Interests", which is a tracking feature that tries to make sense of your behavior when interacting with Twitter and then builds a profile of what you're most likely interested in, which in turn then suggests those interests as Topics to follow.

      Anyway, there is a way to turn them off thanks to some code uploaded to Github that you can run in the browser dev tools console (which was spotted via Reddit), but it requires a lot of patience, and you will also be forced to uncheck new "Interests", or should I say "Topic Suggestions", that get added to the list every once in a while.

      First of all, go to Twitter.com and click on ... More (on the left side of the page) Then click Settings & Privacy > Privacy & Safety > Ad Preferences > Interests
      Here is a direct link to the page https://twitter.com/settings/your_twitter_data/twitter_interests Once you are on that page you will see a long list of checked interests, they will all be enabled unless you have already manually disabled some Interests.

      On your keyboard hit the F12 key, which will open dev tools in Edge, Chrome and Firefox. You can also right-click anywhere on the page and select "Inspect" Switch to the Console tab in dev tools Where you see a new line with > paste the following code and hit the Enter key to run it. Be aware that after a while the page will say "Twitter is over capacity... " but it will look like it is still unchecking list items, it isn't. Manually stop the script process by reloading the page, Wait a few minutes and then restart the script. You may have to repeat this process four or five times. On Github, the original code has a timer set of 100, but upon testing and reading the comments I had more success with fewer timeouts by upping it to 1000.

      As you can see in our video, I was already quite a ways into running it (by this time I had to restart it for the fourth time) before getting a "Twitter is over capacity..." error. To be clear, the way this page is set up also creates the overcapacity error if you manually uncheck each line without using the script. The page reloads in the background to save the preference, and the further down the page you get the more likely it is that it will fail.

      So our suggestion is to let the script run with an ample timer like 1000 or more, and when it starts failing, manually reload the page and wait a few minutes before pasting the script in again and running it in the console.

      It is like certain platforms enjoy burying settings or make them incredibly hard to find and disable. What happened to when tech was supposed to add value to our lives? Now it seems like it just makes for an annoying garbagefest to deal with.

      Anyway, this won't be for everyone, but if you do decide to use it, let us know how long it took you to get everything unchecked. In our testing, it took us one hour and fifteen minutes from start to finish, including the waiting to run it again in between. Oh, and you can still follow Topics by typing in something of interest on Twitter and then electing to follow the applicable Topic.