Adding Google Authenticator to Ubuntu

It was remarkably easy to add Google Authenticator to my Ubuntu login, so I wanted to share. First I installed the packed with this:

sudo apt-get install libpam-google-authenticator

After it installed, I ran the set up with this command:

google-authenticator

This provided me with the QR Code to add to my iPhone’s Authenticator app, my secret key, verification code, and emergency scratch codes. (Emergency scratch codes are one time use verification codes than can be used in case you loose your phone.) I saved this information in a text file that I then encrypted with PGP for safe keeping.

Then I answered the following questions Google Authenticator asked like this:

Do you want me to update your "~/.google_authenticator"
file (y/n) y

That’s kind of a no-brainer. That’s why you are doing this.

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it
increases your chances to notice or even prevent man-in-the-middle
attacks (y/n) y

Probably a good idea… if someone can sniff out what you are entering, they can quickly log in from another location within the time allotted without the Authentication app or your Key.

By default, tokens are good for 30 seconds and in order to
compensate for possible time-skew between the client and the
server, we allow an extra token before and after the current
time. If you experience problems with poor time synchronization,
you can increase the window from its default size of 1:30min to
about 4min.
Do you want to do so (y/n) n

Probably don’t need this unless you know you have time sync issues.

If the computer that you are logging into isn't hardened against
brute-force login attempts, you can enable rate-limiting for the
authentication module. By default, this limits attackers to no
more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Definitely want this on. You should always have this on.

So far you have only set up Google Authentication. Now you must connect this to your login process. For SSH modify /etc/pam.d/sshd and this the line to the bottom:

auth required pam_google_authenticator.so

Then edit /etc/ssh/sshd_config and set it to say this:

ChallengeResponseAuthentication yes

The¬†ChallengeResponseAuthentication line may already be there. Mine was set to “no”, so I just changed it to yes. You may have to add the line if it’s not there, or you may need to uncomment it out. The “#” are the comment lines.

Once this is done, all you have to do is restart the ssh service:

sudo service ssh restart

For the local login, add “auth required pam_google_authenticator.so” to which ever service you use, “/etc/pam.d/gdm”, “/etc/pam.d/lightdm”, or “/etc/pam.d/kdm”. This option isn’t as important to me because if someone were physically at my machine, they could use a startup disk to login and even obtain my keys to later authentication from a remote location (which is important to keep in mind).

Steve Young

About Steve Young

Steve Young is a business intelligence software developer and DBA, and founder of UniversalPrinciple.org.
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *