Teststation Order from Chaos

Enable Two-Factor Authenticaton on Ubuntu 16.04 Xenial Xerus

Two-factor authentication provides unambiguous identification of users by means of the combination of two different components. These components may be something that the user knows, something that the user possesses or something that is inseparable from the user. -- Wikipedia

Oh, hmm. I have a phone, and I have Google Authenticator on it. I also happen to have a laptop lying around with Ubuntu on it. So why not? Here’s how to do it:

  • Install the Google authenticator PAM module (as root user):
apt-get install libpam-google-authenticator
  • Enable the PAM module (as root user):
echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/common-auth
  • Generate a key file and initialize the thing for your user account with:
  • Setup a new account on the Google authenticator app on the phone with the supplied QR code / secret key from the above command.

And that should be it. Requiring the PAM module at /etp/pam.d/common-auth ensures TFA is applied across all authentication channels (ssh, console, and desktop at the least) while the nullok parameter ensures you don’t end up locking yourself out if you haven’t setup your account for it.

I dislike how the instructions don’t necessarily elaborate on “where” exactly the auth line goes. It goes in /etc/pam.d/sshd if you’re looking to secure SSH only, right below where common-auth is included. Cheers!