It was remarkably easy to add Google Authenticator to my Ubuntu login, so I wanted to share. First I installed the packed with this:
sudo apt-get install libpam-google-authenticator
After it installed, I ran the set up with this command:
This provided me with the QR Code to add to my iPhone’s Authenticator app, my secret key, verification code, and emergency scratch codes. (Emergency scratch codes are one time use verification codes than can be used in case you loose your phone.) I saved this information in a text file that I then encrypted with PGP for safe keeping.
Then I answered the following questions Google Authenticator asked like this:
Do you want me to update your "~/.google_authenticator" file (y/n) y
That’s kind of a no-brainer. That’s why you are doing this.
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
Probably a good idea… if someone can sniff out what you are entering, they can quickly log in from another location within the time allotted without the Authentication app or your Key.
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n
Probably don’t need this unless you know you have time sync issues.
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
Definitely want this on. You should always have this on.
So far you have only set up Google Authentication. Now you must connect this to your login process. For SSH modify /etc/pam.d/sshd and this the line to the bottom:
auth required pam_google_authenticator.so
Then edit /etc/ssh/sshd_config and set it to say this:
The ChallengeResponseAuthentication line may already be there. Mine was set to “no”, so I just changed it to yes. You may have to add the line if it’s not there, or you may need to uncomment it out. The “#” are the comment lines.
Once this is done, all you have to do is restart the ssh service:
sudo service ssh restart
For the local login, add “auth required pam_google_authenticator.so” to which ever service you use, “/etc/pam.d/gdm”, “/etc/pam.d/lightdm”, or “/etc/pam.d/kdm”. This option isn’t as important to me because if someone were physically at my machine, they could use a startup disk to login and even obtain my keys to later authentication from a remote location (which is important to keep in mind).