Secure your local and ssh login with google 2FA
I have been working on an easy way to enable my local laptop to have 2FA using the google authenticator and it turned out to be easier.
All these steps were done on Gentoo installs, but should translate easily to non-gentoo ditro’s
This is the google-authenticator module that we are installing:
% eix google-authenticator [I] sys-auth/google-authenticator Available versions: (~)1.01_pre20160307231538 **9999 Installed versions: 1.01_pre20160307231538(02:41:56 PM 07/05/2016) Homepage: https://github.com/google/google-authenticator Description: PAM Module for two step verification via mobile platform
which we will install like so:
sudo emerge -av google-authenticator
this is the same as
sudo apt-get install or
sudo yum install
then we will run:
google-authenticator as the regular user which should give you a screen similar to this:
Now, either copy that url into a browser to generate a qr code that will scan in the google authenticator app, or use the secret key and input that into your authenticator app. Don’t forget to save the temp codes that it gave you to somewhere safe in case you lose your authenticator device.
Once that is done, we are going to add the line:
auth required pam_google_authenticator.so to /etc/pam.d/passwd, /etc/pam.d/login, and /etc/pam.d/sshd
[cbodden:/etc/pam.d] % egrep google * login:auth required pam_google_authenticator.so passwd:auth required pam_google_authenticator.so sshd:auth required pam_google_authenticator.so
Depending in what order you place this new line in these files, you can ask for the verification code before or after your actual password.
Since i do not use a login manager, i would assume that you would also have to add that line to any files associated with your login manager under /etc/pam.d.
For ssh usage, we have to change
ChallengeResponseAuthentication yes to uncommented and yes in /etc/sshd/sshd_config, then restart (/etc/init.d/sshd restart) sshd.
Now lets test. Press Alt+Ctrl+F2 (assuming you are using tty7 for your xwindows system), this should give you a login prompt. Test a login.
Good to go.
Leave a Reply