Ubuntu – how to setup two factor authentication in Ubuntu for Ubuntu users using Google authenticator


How to setup two factor authentication in Ubuntu for Ubuntu users using Google authenticator (It can also be setup for non Google accounts)?

Best Answer

Note: Once you have activated the 2-factor authentication for a user and haven't set the same for root, you will never be able to Login as root directly. In such a case a way around is to use any other sudo user for whom we have it setup and then use sudo su - to switch to the root user.

Use below steps to set it up.

  1. Install below given package to install Google authenticator which we will use as an add-on with PAM authentication:

    sudo apt-get install libpam-google-authenticator
  2. Now edit /etc/pam.d/sshd this file and add Google Authenticator as given below:

    *sudo vim /etc/pam.d/sshd

    enter below at the top this file-

    auth required pam_google_authenticator.so
  3. Here we have to make changes in /etc/ssh/sshd_config to ensure ssh uses the Google Authenticator, this way we ensure ssh is using the two factor authentication.

    vim /etc/ssh/sshd_config

    In this file we have to find ChallengeResponseAuthentication and uncomment and/or modify it to look like below (in short set it to yes :P):

    ChallengeResponseAuthentication yes

    Extra or GUI 2-factor authentication else skip this and go to step 4: To enable it for GUI login, edit /etc/pam.d/common-auth:

    sudo vim /etc/pam.d/common-auth

    and now add this auth required pam_google_authenticator.so above the line auth [success=1 default=ignore] pam_unix.so nullok_secure then save the file.

  4. Now change to an account on which you want to set it up.
    (Note: I would suggest to create at least two super user accounts on the system apart than the root account and configure it at least, for one of them first but not the root account.)

    sudo su - testuser1
  5. Now we will use below command to setup the two-factor authentication for this testuser1:

  6. Running this command will ask you below question. (recommended answer is Yes)

    Do you want authentication tokens to be time-based (y/n) y

  7. After that it will show you the QR code and Emergency Scratch Codes and few other details. Out put should look like below given image:

    enter image description here

  8. Now you need to use your Android / Apple / Blackberry phone to download & install the Google Authenticator Application from the respective market places for example Google play store. which will generate code for you to login.

    Below are the screenshot of the application Icon and application taken from application Android phone.

    enter image description here enter image description here

  9. Start the application on your phone and scan the QR Code or else use the secret key and the verification code given below the QR code on the system, which you can also see in the first screenshot above.

  10. Once all of this is done it is very important to note down and save your emergency scratch codes on a safe place, as those are the codes which can help you in case you get locked out somehow.

  11. At this point in time you should take a look at the bottom of the screen where it is asking you a below question. (recommended answer is Yes):

    Do you want me to update your "/home/testuser1/.google_authenticator" file (y/n) y

  12. Again it will ask you one more question and the recommended answer for below question is also Yes:

    Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

  13. Next question would be as given below and the recommended answer for it is No:

    By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n

  14. And the last question would be as given below and recommended answer for it is Yes:

    If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y

  15. Now switch exit from this account to go back to root account:

  16. Now restart the ssh service

    service ssh restart

Now just take a ssh session for the user you have set it up for and it will first ask you for a verification code which you can enter from your mobile and then it will ask for a user password.

enter image description here

That is all what is required to setup the two factor authentication. Please feel free to improve the answer where required and please excuse me for the not so good language.

Related Question