Two-step user access for Ubuntu using Google Authenticator

Recientemente Google launched the two-step authentication for your email system, it is basically a 6-digit code generation application on your mobile phone which allows you to have double validation to access the email in a more secure way, by having a random numerical code that changes at a rate one minute and which must be entered after entering your usual password. This double validation can also be implemented in Ubuntu to authenticate user entry in two steps, a tool that will keep the curious out of your computer even if they know your primary password.

This is a contribution from Jairo J. Rodriguez, thus becoming one of the winners of our weekly competition: «Share what you know about Linux«. Congratulations Jairo!

Here is a small tutorial to carry out this implementation:

Step 1: Install Google Authenticator on your mobile

Download the Google Authenticator on your mobile phone. For Android users I leave the following link here:

The application is also available for Iphone and Blackberry.

Step 2: Download the package for UBUNTU

Add the following PPA to the list of package sources by running the command below from a console:

sudo add-apt-repository ppa: failshell / stable

Step 3: Update the APP lists

Run the following command to update the database of PPA sources on your system:

sudo apt-get update

Step 4: Install the module for the PAM (Pluggable Authentication Module)

Execute the attached command, this will install two files on your system to establish two-step authentication: /lib/security/pam_google_authenticator.so and / usr / bin / google-authenticator.

sudo apt-get install libpam-google-authenticator

Step 5: Configure the access account

Now it is necessary to execute the command «google-authenticator» from the console to configure the account from which you have logged in. Once the command is executed, a QR code will appear on the screen. You must use the application (Google Authenticator) just installed on your mobile to be able to obtain the authentication codes associated with your login.

I recommend doing a "print screen" or screenshot of the QR code so that you can later associate other devices.

Step 6: Configure the PAM to use two-factor authentication.

Open a terminal and add the following line to the /etc/pam.d/sudo file and use sudo vi or sudo gvim to make the change:

auth required pam_google_authenticator.so
Note: It is advisable to leave the current session open since if you have made a mistake in the configuration, you will be able to reverse all the changes.

Open a new terminal and run:

sudo ls

The system will request the password and then the request for "Verification code:". Enter the observed digits in the Google Authenticator application on your mobile.

You will have about three minutes from the change of the number code. Regardless of whether the code number changes, it will remain active for an additional two minutes.

If all goes well, edit the file /etc/pam.d/sudo again, removing the line you added "auth required pam_google_authenticator.so", save and exit.

Now to obtain the best protection implemented the two-step validation add with sudo vi, sudo gvim or any other editor of your preference but always with sudo the line «auth required pam_google_authenticator.so» to the file «/etc/pam.d/auth »And from now on any validation will require double authentication.

If you want to be less restrictive you can use any other file in the /etc/pam.d directory, depending on what your security needs are.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

7 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Daniel said

    The PPA does not work for me in Mint XFCE.
    I guess we will have to wait a few days for it to be available for this distro.

  2.   Let's use Linux said

    Well, in your case, I understand that it would be lightdm.
    When it comes to "tampering", that's it ... someone with little technical knowledge and who knows what file to look for can bypass what is apparently a more complicated security system. This, as long as that person has physical access to your computer. Therefore, this system is really useful in cases where remote logins are performed, such as when using sshd.
    Cheers! Paul.

  3.   Bill said

    In my pam.d folder there are:

    /etc/pam.d/lightdm
    /etc/pam.d/kdm

    (I use Ubuntu 12.04 and I have KDE installed, even though my desktop is Gnome 3.4)

    But when adding the authorization it does not let me log in, it tells me: "critical error", I had to leave them as they were from the terminal in the "Recovery Mode"

    The rest about sshd is not very clear to me, but a recommendation to really make the system more secure and less "inviolable" would be very useful. I use Linux for about 3 years among many reasons for its robustness and security and I always look for a way to make everything more difficult, add layers and security, as I said a "TIP" on how to properly use 2-step verification in Ubuntu would be excellent . =)

  4.   Let's use Linux said

    Depending on the system you use, it would be one of these options:
    /etc/pam.d/gdm
    /etc/pam.d/lightdm
    /etc/pam.d/kdm
    /etc/pam.d/lxdm
    etc.

    Also, let me clarify that it makes more sense to use it with sshd, for example, than with the computer login. For the simple reason that the secret key is stored in a folder on your home so that someone who has access to your computer can start from a livecd, copy the key and generate their own pair of tokens. Yes, it is true that it "makes things more difficult" but it is not an inviolable system ... although it is very cool.

    The same problem would not exist for processes that require a remote login, like sshd.

    Cheers! Paul.

  5.   Bill said

    Ok, that's it, if I only want to activate the verification in 2 steps for the login to which file do I add "auth required pam_google_authenticator.so" in pam.d?

    Thanks Excellent Resource!

  6.   KEOS said

    if it works, I have 12.04 and I have added repos PPA

  7.   Bill said

    PPA not working on Ubuntu 12.04 Any solutions?

    Cheers