Sup all

I have been working on an easy way to enable my local laptop to have 2FA using the google authenticator and it turned out to be easier.

All these steps were done on Gentoo installs, but should translate easily to non-gentoo ditro’s

This is the google-authenticator module that we are installing:

% eix google-authenticator
[I] sys-auth/google-authenticator
     Available versions:  (~)1.01_pre20160307231538 **9999
     Installed versions:  1.01_pre20160307231538(02:41:56 PM 07/05/2016)
     Homepage:            https://github.com/google/google-authenticator
     Description:         PAM Module for two step verification via mobile platform

which we will install like so:
sudo emerge -av google-authenticator
this is the same as sudo apt-get install or sudo yum install

then we will run: google-authenticator as the regular user which should give you a screen similar to this:

Now, either copy that url into a browser to generate a qr code that will scan in the google authenticator app, or use the secret key and input that into your authenticator app. Don’t forget to save the temp codes that it gave you to somewhere safe in case you lose your authenticator device.

Once that is done, we are going to add the line:auth required pam_google_authenticator.so to /etc/pam.d/passwd, /etc/pam.d/login, and /etc/pam.d/sshd

[cbodden:/etc/pam.d] % egrep google *
login:auth         required     pam_google_authenticator.so
passwd:auth        required     pam_google_authenticator.so
sshd:auth       required     pam_google_authenticator.so

Depending in what order you place this new line in these files, you can ask for the verification code before or after your actual password.

Since i do not use a login manager, i would assume that you would also have to add that line to any files associated with your login manager under /etc/pam.d.

For ssh usage, we have to change ChallengeResponseAuthentication yes to uncommented and yes in /etc/sshd/sshd_config, then restart (/etc/init.d/sshd restart) sshd.

Now lets test. Press Alt+Ctrl+F2 (assuming you are using tty7 for your xwindows system), this should give you a login prompt. Test a login.

Good to go.

The following two tabs change content below.

charlie root

VP of keeping it real / HNIC at pissedoffadmins.com
I bring the cold coffee.

No Comment.

Add Your Comment