This brief tutorial shows students and new users how to login to Ubuntu 20.04 | 18.04 with Google two-factor ( Multi-factor authentication).
To improve Ubuntu security you may want to enable multi-factor authentication.
Two-factor authentication enables users to provide certain details such as random code, or OTP ( One Time Password ) to add another layer of security to standard username and password.
There are multiple ways to implement multi-factor authentication in Ubuntu. Google authentication is one of them.
To get started with installing Google authentication, follow the steps below:
Install Google PAM package
Google authentication is a PAM ( Pluggable Authentication Module) package that provides mechanism to add extra layers of authentication on the Linux platform.
To install it, run the commands below:
sudo apt update sudo apt install libpam-google-authenticator
Install Google Authenticator app
To authenticate using a one time code, you’ll need to install Google authenticator app on your mobile device(s). This is where the one time code will be displayed.
Visit the app store using your mobile device and search for Google Authentication, or use the link below:
After installing it on your mobile device, go back to Ubuntu and configure it to login using one-time password.
Configure Ubuntu
Now that Google Authenticator is installed, open its configuration file by running the commands below;
sudo nano /etc/pam.d/common-auth
Then copy and paste the line below anywhere into the file and save.
auth required pam_google_authenticator.so
Paste the line anywhere in the file.
# since the modules above will each just jump aroundauth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
auth required pam_google_authenticator.so
Save and exit.
After that, run the commands below to initialize Google authenticator.
google-authenticator
When you run the commands above, it will evoke a setup prompt to answer questions based on your environment.
Do you want authentication tokens to be time-based (y/n) y
A QR code will be displayed on the terminal as shown below and right below it, some information will be displayed.
Since you may not be able to scan QR code from your terminal windows, go to your mobile app and add a new profile.
Choose to enter setup key instead of scanning a QR code.
Then enter the new secret key and the confirmation code:
Your new secret key is: M7I5532H5ZG4QYYEIQIMXFENIMI Your verification code is 6593222 Your emergency scratch codes are:
The emergency codes are backup that you can use if you don’t have your mobile device with you. Make sure to take note and store in secure but accessible location.
In most environments, answering yes to all the questions will be enough to provide the kind of security that works.
Do you want me to update your "/home/richard/.google_authenticator" file? (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) n If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n) y
After setting up, reboot your machine and test.
As you can see, you’ll still verify your username and password, but a third layer of a one time code will also be needed to login.
Enter the code from your mobile device to complete the verification.
That should do it!
Conclusion:
This post showed you how to install and configure Google Authenticator on Ubuntu to provide additional layer of security.
If you find any error above, please use the form below to report.