Secure your logins with two-factor authentication
Lockdown
Add an extra layer of protection with one-time passwords.
There really is no such thing as too much security. Thanks to the availability of easy-to-use password cracking tools and multicore processors, it is only a matter of time before a determined hacker breaks your password and gains access to your computer. If you're really concerned about unauthorized access to your computer, you should definitely add an additional layer of authentication (see the "What Is Two-Factor Authentication?" box).
One of the easiest mechanisms for implementing a two-step verification is the Google Authenticator service . You can use the service to issue a time-based authentication token to supplement the existing password challenge. Google Authenticator uses the IETF-approved Open Authentication Time-Based One-Time Password (OATH-TOTP) protocol that generates a password (usually a six-digit number) that's meant for a single use before it expires and is replaced by a new number.
The good thing about the TOTP protocol [3] is that it doesn't require an active connection to the Internet. The protocol uses the current timestamp along with a pre-shared key that's available on both the machine you're trying to log in to, as well as on your portable app used to create the six digit code. When you type in the code at the login prompt in the computer, it performs the same computation with the same pre-shared key and arrives at the same six-digit code, thus allowing you to log in.
The TOTP-based authentication mechanism integrates into the Linux Pluggable Authentication Module (PAM) system. PAM is the most popular authentication infrastructure used on Linux systems to authenticate a user. Once you've integrated the service with your distribution's login manager, in addition to your user password, you'll be prompted for the tokens before being allowed to log in. The tokens are only valid for a limited duration, which effectively means you can't reuse them. So even if an attacker manages to shoulder-surf a token, it'll expire soon and can't be used to gain access after a few seconds. The Google Authenticator app (Figure 1) will generate these OTPs on your Android device once it's been configured to do so for every user on your Linux machine.
What is Two-Factor Authentication?
Broadly speaking, there are three different types of authentication factors. The most common is the use of a password or sometimes a security question to validate a user. Two-factor authentication is the use of another factor to verify the authenticity of the user who wants to gain access. Think of it as an extra layer of security. In addition to something the user knows, like the password, the user is prompted for something they have, like a security token. The use of passwords together with security tokens is known as two-factor authentication. Installations that can't afford security breaches use a third factor for authentication: Biometrics authentication is something you are, like your voice or fingerprint.
The most commonly used two-factor authentication mechanism is the use of passwords along with security token. The authentication tokens can be in the form of physical devices, such as smart cards, or can be doled out by software, such as mobile apps that generate PIN codes for authentication. Google Authenticator [1] (Figure 1) is an example of the latter. Note that while previous versions of the app were open source, the current releases now are all proprietary. For an open source option, check out FreeOTP [2] (Figure 2).
Configure Google Authenticator
To implement this multifactor authentication with Google Authenticator, you'll first need the Google Authenticator PAM module. The PAM mechanism allows for plugging different forms of authentication into a Linux computer.
The Google Authenticator PAM module is available in the official software repositories of major distributions like Ubuntu and Fedora. To install the package on Ubuntu, head to the terminal and type:
sudo apt-get install libpam-google-authenticator
If you are Fedora user, switch to the root user and type
dnf install google-authenticator
to install the PAM module for Google Authenticator.
Once the package has been installed, make sure you're logged in as the user you want to protect with the two-factor authentication. Now irrespective of the distribution, in the terminal window, type google-authenticator
. This will initiate the process of creating a secret key for the user by asking you a bunch of questions. While it's safe to answer yes to all of them, it's a good idea to understand each question before making your final choice as these choices help balance security with ease-of-use.
The first question is a pretty safe one, and you should allow the command to update your Google Authenticator file by answering yes. As soon as you answer in the affirmative, you'll be shown a secret key and several emergency scratch codes. Make sure you note down these emergency scratch codes somewhere safe. They'll help you log in if you misplace the Android phone that generates the OTPs. Also remember that each scratch code can only be used once. The google-authenticator
command will also generate a QR code that you can scan with the Google Authenticator app in your Android phone. Because we haven't installed the app yet, for the time being just note down the 16-digit code, which we'll use to manually add the account on the app.
You'll then be asked if you'd like to disallow multiple uses of the same authentication token. Although it might seem inconvenient at first, it is a good idea to restrict the use of a token, which forces you to wait 30 seconds between logins. You should agree to this limitation for maximum protection. The next question asks for permission to increase the time window for which tokens can be used from the default 1.5 minutes to four minutes. Although you can answer yes to this question to avoid any issues, type no for maximum security. To give you an idea, if you answer yes here, Google Authenticator will generate up to eight valid codes in a four minute window. By declining to increase the time window, you limit this to only three valid codes in a 1.5 minute window. In any case, if you notice any issues later on, refer to the "What's in the Hidden File?" box to increase the expiration time.
The fourth and the last question asks you to limit the number of attempts for entering the authentication code. You should definitely enable this option as it helps prevent brute-force login attacks. Once enabled, the Google Authenticator PAM module will force the attacker to wait for 30 seconds after he's entered a wrong code thrice.
Now repeat this process for each user account that uses your computer. Ask everyone you share the computer with to log into their account and then run google-authenticator
and make a note of their respective emergency scratch codes and the 16-digit code.
Plug In the Module
After you've generated the authentication code for all users, it's time to configure the login process to work with Google Authenticator. All you need to do is edit one file to add two-step authentication for all login attempts. The file you need to edit varies from one distribution to another. For example, if you are using Fedora, to prompt users for an authentication token before they are allowed to login into their desktop, fire up the terminal and type:
$ su - # nano /etc/pam.d/gdm-password
The file will have several lines with the top few beginning with the word auth
(Figure 4). In a new line below the last auth
line, enter the following:
# To use OTPs generated by Google Authenticator auth required pam_google_authenticator.so nullok
The nullok
bit at the end of the line asks the distribution to let a user login even if they haven't run the google-authenticator
command to set up two-factor authentication. Say you have two users, andrea and george, but have set up Google Authentication only for andrea. Thanks to nullok
, while andrea will have to enter the OTP, george will be able to log in with just his password. Note however that while this is a useful flexibility to have while you're testing Google Authenticator, once everything works smoothly and you have no issues logging in with the two-factor authentication, it's advisable to force all users to log in through Google Authenticator only by removing nullok
from the end of this command.
In Ubuntu, however, you can add this line to the common-auth
file, which is included in various other PAM configuration files. Open the file in a text editor with sudo nano /etc/pam.d/common-auth
. Now scroll to the end of the file and add the above given line along with the comment. By adding the Google Authenticator PAM module to the common-auth file, we've asked Ubuntu to use the one-time passwords for all login attempts, including calls to sudo.
Set Up the App
Your Linux distribution is now all set up for two-factor authentication. To receive the OTPs, you'll now have to install the Google Authenticator app on your Android mobile phone from Google Play. After installing the app, you'll have to add an account for all the users you've run the google-authenticator
command for on your Linux installation.
As soon as you launch the app on your mobile device, it'll take you through a small tour advertising its use. When you've run through the tour (Figure 5), you'll be presented with a screen to add an account for a user you've already configured to use Google Authenticator in your Linux distribution. The app lets you add an account either by scanning a QR code or by manually adding the unique 16-digit key.
While scanning the QR code is the more convenient of the two options, we'll manually enter the code by tapping on the Enter a provided key option. In the following screen, first specify the name of the user for which this is meant, such as Mayank and then enter the 16-digit key you had made a note of earlier.
If you've keyed it in properly, the phone will vibrate to confirm, and the app will display a six digit code. Below this code will be the name of user that this code will help authenticate along with an animated timer that counts down to 30 seconds after which the app displays a new code.
If you've followed our advice and run the google-authenticator helper script for more than one user, you'll have to bring them to the attention of the Android app to generate OTPs for these other accounts as well. For this, first tap the + icon followed by the Enter a provided key and then repeat the process described above to first add a name to identify the user followed by their 16-digit secret key.
That's it, you've now successfully set up two-factor authentication for your Linux installation. The Android app will keep generating a new six-digit code every 30 seconds. When you log into your account, your distribution will prompt for your password before asking you to enter the authentication code for the account. At this point, enter the digits currently on display in the Android app.
Once you've logged in successfully, make sure you edit the /etc/pam.d/gdm-password
or the /etc/pam.d/common-auth file
and remove the nullok
option to force logins through Google Authenticator. Also remember to create an account in the Android app for all the users on your installation. If you've lost your Android device that generates the OTPs, refer to the "Troubleshoot the Authenticator" box to wriggle out of a potentially sticky situation.
Troubleshoot the Authenticator
If you can't access the the Android device that generates OTPs, you can use one of the five scratch codes to log into the machine. Note that these recovery codes are for one-time use and cannot be reused. If you've changed phones, install the Google Authenticator app on the new mobile and simply use the secret key in the ~/.google-authenticator
file to generate OTPs.
If, however, you've misplaced the Android device that doles out the OTPs, you should immediately generate a new secret key. To do this, once you've logged in using the scratch codes, first delete the existing ~/.google-authenticator
file and then rerun the google-authenticator helper script to generate a new ~/.google-authenticator
file. Now install the Google Authenticator app on a new mobile and add the newly generated secret key.
Going through the additional security prompt might seem like a hassle at first. However, if you're using the computer in a public place, you'll quickly learn to appreciate the benefits of the two-factor authentication mechanism.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.