Gnome Display Manager

If your console system uses a Gnome graphical user interface, you can also enable 2FA authentication at login time. To do this, you make the same changes previously discussed, but in a different file: /etc/pam.d/gdm-password (Listing 5). After a restart, Gnome will now prompt you for the second factor at login time.

[...]
@include common-auth
# insert this line:
auth required pam_google_authenticator.so
[...]

Passwordless Login

Going back to logging in via SSH, many users prefer passwordless access via public key authentication. To do this, the user bob enters the command

ssh-keygen -t rsa -b 4096

on their client to generate a key pair (Figure 5).

Figure 5: For a passwordless login, Bob generates a key pair on the client.

After that, the command

ssh-copy-id bob@influx

is sufficient, followed by the input of the current password. Bob can now log on to the influx server without entering a password.

Passwordless login can also be combined with 2FA. To do this, change the two configuration files on the server that I discussed previously. First open /etc/ssh/sshd_config and enter the following line at the end of the file:

AuthenticationMethods publickey,keyboard-interactive

Second, edit /etc/pam.d/sshd. Here you need to disable the line that reads @include common-auth by adding a hashtag (#) at the start of the line:

#@include common-auth

Then run the systemctl restart ssh command to restart the SSH service. When Bob now logs on to the server, he does not have to enter a password, but he does have to enter the one-time password from the smartphone app.

Conclusions

Security is not witchcraft. As shown here, even simple mechanisms such as 2FA can make logging on to a system far more secure. 2FA gives you additional protection against unwanted visitors, even if users choose weak passwords.