Enable Two-Factor Authenticaton on Ubuntu 16.04 Xenial Xerus

20 May 2016

Two-factor authentication provides unambiguous identification of users by means of the combination of two different components. These components may be something that the user knows, something that the user possesses or something that is inseparable from the user. -- Wikipedia

Oh, hmm. I have a phone, and I have Google Authenticator on it. I also happen to have a laptop lying around with Ubuntu on it. So why not? Here’s how to do it:

Install the Google authenticator PAM module (as root user):

apt-get install libpam-google-authenticator

Enable the PAM module (as root user):

echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/common-auth

Generate a key file and initialize the thing for your user account with:

google-authenticator

Setup a new account on the Google authenticator app on the phone with the supplied QR code / secret key from the above command.

And that should be it. Requiring the PAM module at /etp/pam.d/common-auth ensures TFA is applied across all authentication channels (ssh, console, and desktop at the least) while the nullok parameter ensures you don’t end up locking yourself out if you haven’t setup your account for it.

I dislike how the instructions don’t necessarily elaborate on “where” exactly the auth line goes. It goes in /etc/pam.d/sshd if you’re looking to secure SSH only, right below where common-auth is included. Cheers!

Teststation Order from Chaos

Enable Two-Factor Authenticaton on Ubuntu 16.04 Xenial Xerus

Related Posts

CCA India Root Certificate on Linux 05 Oct 2017

Getting external IP using OpenDNS 23 May 2016

Automate Cyberoam Gateway Login w/ NetworkManager dispatcher service 16 May 2016