Using Google Two-Factor Authentication for Ubuntu Login

Two factor Authentication Prompt at the Ubuntu Screen

Two factor Authentication Prompt at the Ubuntu Screen

This guide helps you enable two factor authentication (2FA) using the ‘Google-Authenticator‘ project for logging into your Ubuntu Operating System. The Google Authenticator project though developed by Google engineers, is an open source project and is independent of Google services and products. It can be used in any of supporting applications or products as two step verification for authentication.

In this implementation we use Ubuntu 12.04 Operating System and a mobile phone with Android 2.3 OS. You can use any distribution of Ubuntu or Linux with little or no modification. And in place of Android, you can either use an iPhone, Windows Mobile or Blackberry. The One-time passcodes generated by Google project uses the open standard developed by the Initiative for Open Authentication (OATH).

Follow the steps below to install and enable the 2FA and to use time based one time passwords (TOTP) for your Ubuntu OS login:

1. In your terminal window, clone the ‘Google-Authenticator’ project using git (recommended). Git will download the latest version and no decompression needed:

git clone https://code.google.com/p/google-authenticator/

If git is not available, use ‘wget’ or download the source code using browser from their project site – http://code.google.com/p/google-authenticator/.  (before using the command below, check for latest version):

wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2

Go into the downloaded folder and uncompress the file:

tar jxvf libpam-google-authenticator-1.0-source.tar.bz2

2. Now build and install it. Go to the folder ‘/google-authenticator/libpam/’. If wget is used, go to the folder where it is uncompressed ‘libpam-google-authenticator-1.0′ and run the following command:

sudo make install

It should complete without errors.

3. Now that Google-authenticator is installed, you need to tell Ubuntu to use 2FA for login authentication by editing the appropriate PAM (Pluggable Authentication Module) configuration files. In our case we need to enable it for the Ubuntu’s Unity lightdm (display manager) PAM config file. Run the command to edit the file:

sudo nano /etc/pam.d/lightdm

Add the following text at the end:

auth required pam_google_authenticator.so nullok

The ‘nullok’ at the end is important. This tells the authentication module to use Google 2FA only for users who have enabled it. If not it will prompt for all users including who have not enabled it and eventually lock them out.

Hit Ctrl+o and Ctrl+x to save and exit.

4. To maintain the same security level we need to enable 2FA for the screen-saver also. Add the above text to the screen-saver config file by editing it:

sudo nano /etc/pam.d/gnome-screensaver

QR Code and options for two factor authentication

QR Code and options for two factor authentication

5. Now enable Google 2FA for your account. Run the following command:

google-authenticator

It creates a new secret key in your home folder and if ‘libqrencode’ library is installed it generates a QR code in the terminal window that can be scanned using  an Android or iPhone. The phone should have Google Authenticator app installed. It looks something like this:

Enter ‘y’ for first question and answer accordingly for rest of the prompts. We have to balance between security and user friendly. You may select options based on your need.

 

Android Google Authenticator

Android Google Authenticator

6. Scan the QR code with your mobile; if you don’t have scanner app, add the code manually.  Once the secret key is added, the Google Authenticator app will generate unique time based one time password (TOTP) every 30 seconds. The crucial part is the time on the mobile and the Ubuntu OS should be in sync. Though the PAM adjusts for little skew in time, a large difference will lock you out of your box.

7. Copy the emergency scratch codes somewhere else, (not in a notepad on same system) write on a sheet paper and keep in your wallet. These codes are to be used if mobile phone is not available or if the code doesn’t work. And of course, they are one time use.

Refer to their Wiki and ReadMe file for details and troubleshooting.

8. This actually completes the installation and setup. To test this, logout or lock your display and go to the login screen. On the login prompt select your user account, enter account password and hit enter. This is your first authentication.

9. You will be prompted to enter a ‘Verification Code’, as shown in the image at the top of this post. Enter the code that is displayed on your mobile screen and hit enter key to login. This is the second authentication.

The code is valid  for 30 seconds only. The code and app works even with no wifi or mobile network coverage.

We suggest you not to attempt this directly on a production machine. Try this on a test machine for another user account keeping your primary account with root privileges intact.

  • Greg

    I have one questions. You wrote
    “This tells the authentication module to use Google 2FA only for users who have enabled it.”
    How can i make sure that Google 2FA is enabled for all user? Do i have to go through all these steps for each new user?

    • http://www.packetverify.com/ Packet Verify

      You don’t have to go through all the steps. Steps 1 through 4 will install Google 2FA in your computer. Steps 5 to 7 will enable it for each user. Since the secret is unique, you have to generate it for each user.

  • Meher Chaitanya

    Why cant I login after I’ve setup google authenticator fo lightdm anf gnome-screensaver?

    • http://www.packetverify.com/about/ Niranjan

      If it’s stopping at Verification code, then Check if the PC time and mobile time are in sync or if 2FA is enabled for right account.

    • http://www.packetverify.com/ Packet Verify

      If it’s stopping at Verification code, then Check if the time on PC and mobile are in sync or if 2FA is enabled for right account.

      • Meher Chaitanya

        It just says wrong password!

        • benjabean1

          bump

          • Michel

            “nullok” is for ubuntu 13.04.
            for ubuntu 12.04 remove “nullok” in the file “/etc/pam.d/lightdm”:

            auth required pam_google_authenticator.so

            to
            restore the file “/etc/pam.d/lightdm” on the login screen, press
            ALT+CTRL+F6, insert username and password, to access the console, and
            edit the file with command:

            sudo nano /etc/pam.d/lightdm

            same thing for:

            /etc/pam.d/gnome-screensaver

            I hope I was clear, sorry for my english

  • Andrew

    The lightdm greeter isn’t prompting me for the code but gnome-screensaver lock does. Both files were updated and I checked for typos. My greeter has the user list hidden and manual login allowed. Any thoughts on this?

    • http://www.packetverify.com/ Packet Verify

      Hi Andrew, It should work for both user list as well as manual login. But it looks like you are using a different display manager. Please check if you using default Unity DM or a different one, like GDM, Unity2D, XFCE, etc. If so you can add it to appropriate PAM file to enable 2FA.

  • Edward James Bickels

    add sudo nano /etc/pam.d/lightdm-greeter to get it on login

  • Thiago

    muito bom !!