Google Authenticator provides 2-step verification for Gmail. When on travel and using other computers, it provides a little extra layer of security for paranoid individuals such as myself. A verification code on my Android phone (also works with iPhone or BlackBerry smartphones) is needed in addition to my password to login, so unless someone has access to my password and phone, they can’t access my account. There’s an option to remember verification for 30 days for my home/work computers, whereas on other computers, I can leave this option unchecked. Consequently, for my own computers, I only have to verify my login with my phone once every month.
The Google Authenticator Project provides the source code for use with PAM.
- It’s very straightforward to compile (“make”) and install (“make install”) on Linux (on Ubuntu, I had to edit the Makefile to point to the correct location of libdl.so).
- Download Google Authenticator for your smartphone if you don’t already use it. Log into the Linux machine and run “google-authenticator.” The QR code will be displayed in the terminal, so you can just point your smartphone to it to configure the account. Emergency codes will also be provided in case your phone is lost, so keep the emergency codes in a safe place.
- The PAM config files (/etc/pam.d) need to be edited to use Google Authenticator. Note that if Google Authenticator is added, all logins will require use of Google Authenticator (there are some workarounds to this, though). In my case, I didn’t want to use Google Authenticator if the user is logging into the console, so I didn’t need to edit /etc/pam.d/gdm or /etc/pam.d/gnome-screensaver (but you would want to edit these if you want users to authenticate with regular logins). Instead, I just edited /etc/pam.d/sshd by adding the following line:
auth required pam_google_authenticator.so
Only port 22 (ssh) is open in my firewall, so I can remotely log in via ssh to my machine from the outside world. Consequently, with this setup, if I just supply a password, I also need to use Google Authenticator to log in each time, providing an extra layer of security. Note that if /etc/sshd_config has “
PubkeyAuthentication yes” (default setting in Ubuntu Server), then you can log in with private/public keys, but Google Authenticator will not be used. This makes sense to me since if I have the private key, I probably don’t need an extra layer of security. When I use a public computer to remotely log in via SSH, though, then I would only have a password, in which case Google Authenticator would be huge benefit.
In the past, I had just configured my Linux SSH server not to accept passwords but only use public keys, (
PasswordAuthentication no) which was a little inconvenient. Now, with Google Authenticator set up, I have been able to use either public keys or passwords to remotely log into my home server from outside with peace of mind.