This guide helps you enable two factor authentication (2FA) using the ‘Google-Authenticator‘ project for logging into your Ubuntu Operating System. The Google Authenticator project though developed by Google engineers, is an open source project and is independent of Google services and products. It can be used in any of supporting applications or products as two step verification for authentication.
In this implementation we use Ubuntu 12.04 Operating System and a mobile phone with Android 2.3 OS. You can use any distribution of Ubuntu or Linux with little or no modification. And in place of Android, you can either use an iPhone, Windows Mobile or Blackberry. The One-time passcodes generated by Google project uses the open standard developed by the Initiative for Open Authentication (OATH).
Follow the steps below to install and enable the 2FA and to use time based one time passwords (TOTP) for your Ubuntu OS login:
1. In your terminal window, clone the ’Google-Authenticator’ project using git (recommended). Git will download the latest version and no decompression needed:
git clone https://code.google.com/p/google-authenticator/
If git is not available, use ‘wget’ or download the source code using browser from their project site - http://code.google.com/p/google-authenticator/. (before using the command below, check for latest version):
Go into the downloaded folder and uncompress the file:
tar jxvf libpam-google-authenticator-1.0-source.tar.bz2
2. Now build and install it. Go to the folder ’/google-authenticator/libpam/’. If wget is used, go to the folder where it is uncompressed ’libpam-google-authenticator-1.0′ and run the following command:
sudo make install
It should complete without errors.
3. Now that Google-authenticator is installed, you need to tell Ubuntu to use 2FA for login authentication by editing the appropriate PAM (Pluggable Authentication Module) configuration files. In our case we need to enable it for the Ubuntu’s Unity lightdm (display manager) PAM config file. Run the command to edit the file:
sudo nano /etc/pam.d/lightdm
Add the following text at the end:
auth required pam_google_authenticator.so nullok
The ‘nullok’ at the end is important. This tells the authentication module to use Google 2FA only for users who have enabled it. If not it will prompt for all users including who have not enabled it and eventually lock them out.
Hit Ctrl+o and Ctrl+x to save and exit.
4. To maintain the same security level we need to enable 2FA for the screen-saver also. Add the above text to the screen-saver config file by editing it:
sudo nano /etc/pam.d/gnome-screensaver
5. Now enable Google 2FA for your account. Run the following command:
It creates a new secret key in your home folder and if ‘libqrencode’ library is installed it generates a QR code in the terminal window that can be scanned using an Android or iPhone. The phone should have Google Authenticator app installed. It looks something like this:
Enter ‘y’ for first question and answer accordingly for rest of the prompts. We have to balance between security and user friendly. You may select options based on your need.
6. Scan the QR code with your mobile; if you don’t have scanner app, add the code manually. Once the secret key is added, the Google Authenticator app will generate unique time based one time password (TOTP) every 30 seconds. The crucial part is the time on the mobile and the Ubuntu OS should be in sync. Though the PAM adjusts for little skew in time, a large difference will lock you out of your box.
7. Copy the emergency scratch codes somewhere else, (not in a notepad on same system) write on a sheet paper and keep in your wallet. These codes are to be used if mobile phone is not available or if the code doesn’t work. And of course, they are one time use.
Refer to their Wiki and ReadMe file for details and troubleshooting.
8. This actually completes the installation and setup. To test this, logout or lock your display and go to the login screen. On the login prompt select your user account, enter account password and hit enter. This is your first authentication.
9. You will be prompted to enter a ‘Verification Code’, as shown in the image at the top of this post. Enter the code that is displayed on your mobile screen and hit enter key to login. This is the second authentication.
The code is valid for 30 seconds only. The code and app works even with no wifi or mobile network coverage.
We suggest you not to attempt this directly on a production machine. Try this on a test machine for another user account keeping your primary account with root privileges intact.