For additional security, you can require a time-based authentication token as well as a password to log into your Linux PC. This solution uses Google Authenticator and other TOTP apps.
This process was performed on Ubuntu 14.04 with the standard Unity desktop and LightDM login manager, but the principles are the same on most Linux distributions and desktops.
We previously showed you how to require Google Authenticator for remote access via SSH, and this process is similar. This doesn’t require the Google Authenticator app, but works with any compatible app that implements the TOTP authentication scheme, including Authy.
Install the Google Authenticator PAM
As when setting this up for SSH access, we’ll first need to install the appropriate PAM (“pluggable-authentication module”) software. PAM is a system that allows us to plug different types of authentication methods into a Linux system and require them.
On Ubuntu, the following command will install the Google Authenticator PAM. Open a Terminal window, type the following command, press Enter, and provide your password. The system will download the PAM from your Linux distribution’s software repositories and install it:
sudo apt-get install libpam-google-authenticator
Other Linux distributions should hopefully have this package available for easy installation, too — open your Linux distribution’s software repositories and perform a search for it. In a worst case scenario, you can find the source code for the PAM module on GitHub and compile it yourself.
As we pointed out before, this solution doesn’t depend on “phoning home” to Google’s servers. It implements the standard TOTP algorithm and can be used even when your computer doesn’t have Internet access.
Create Your Authentication Keys
You’ll now need to create a secret authentication key and enter it into the Google Authenticator app (or a similar) app on your phone. First, log in as your user account on your Linux system. Open a terminal window and run the google-authenticator command. Type y and follow the prompts here. This will create a special file in the current user account’s directory with the Google Authenticator information.
You’ll also be walked through the process of getting that two-factor verification code into a Google Authenticator or similar TOTP app on your smartphone. Your system can generate a QR code you can scan, or you can type it in manually.
Be sure to note down your emergency scratch codes, which you can use to log in with if you lose your phone.
Go through this process for each user account that uses your computer. For example, if you’re the only person who uses your computer, you can just do it once on your normal user account. If you have someone else who uses your computer, you’ll want to have them sign into their own account and generate an appropriate two-factor code for their own account so they’ll be able to log in.
Here’s where things get a bit dicy. When we explained how to enable two-factor for SSH logins, we required it only for SSH logins. This ensured you could still log in locally if you lost your authentication app or if something went wrong.
Since we’ll be enabling two-factor authentication for local logins, there are potential problems here. If something goes wrong, you may not be able to log in. Bearing that in mind, we’ll walk you through enabling this for graphical logins only. This gives you an escape hatch if you need it.
Enable Google Authenticator for Graphical Logins on Ubuntu
You could always enable two-step authentication for only graphical logins, skipping the requirement when you log in from the text prompt. This means you could easily switch over to a virtual terminal, log in there, and revert your changes so Gogole Authenciator wouldn’t be required if you experience a problem.
Sure, this opens a hole in your authentication system, but an attacker with physical access to your system can already exploit it anyway. That’s why two-factor authentication is particularly effective for remote logins via SSH.
Here’s how to do this for Ubuntu, which uses the LightDM login manager. Open the LightDM file for editing with a command like the following:
sudo gedit /etc/pam.d/lightdm
(Remember, these specific steps will only work if your Linux distribution and desktop use the LightDM login manager.)
Add the following line to the end of the file, and then save it:
auth required pam_google_authenticator.so nullok
The “nullok” bit at the end tells the system to let a user log in even if they haven’t run the google-authenticator command to set up two-factor authentication. If they have set it up, they’ll have to enter a time-baesd code — otherwise they won’t. Remove the “nullok” and user accounts who haven’t set up a Google Authenticator code just won’t be able to log in graphically.
The next time a user logs in graphically, they’ll be asked for their password and then prompted for the current verification code displayed on their phone. If they don’t enter the verification code, they won’t be allowed to log in.
The process should be fairly similar for other Linux distributions and desktops, as most common Linux desktop session managers use PAM. You’ll likely just have to edit a different file with something similar to activate the appropriate PAM module.
If You Use Home Directory Encryption
Older releases of Ubuntu offered an easy “home folder encryption” option that encrypted your entire home directory until you enter your password. Specifically, this uses ecryptfs. However, because the PAM software depends on a Google Authenticator file stored in your home directory by default, the encryption interferes with the PAM reading the file unless you ensure it’s available in unencrypted form to the system before you log in. Consult the README for more information on avoiding this problem if your’e still using the deprecated home directory encryption options.
Modern versions of Ubuntu offer full-disk encryption instead, which will work fine with the above options. You don’t have to do anything special
Help, It Broke!
Because we just enabled this for graphical logins, it should be easy to disable if it causes a problem. Press a key combination like Ctrl + Alt + F2 to access a virtual terminal and log in there with your username and password. You can then use a command like sudo nano /etc/pam.d/lightdm to open the file for editing in a terminal text editor. Use our guide to Nano to remove the line and save the file, and you’ll be able to log in normally again.
You could also force Google Authenticator to be required for other types of logins — potentially even all system logins — by adding the line “auth required pam_google_authenticator.so” to other PAM configuration files. Be careful if you do this. And remember, you may want to add “nullok” so users who haven’t gone through the setup process can still log in.
Further documentation on how to use and set up this PAM module can be found in the software’s README file on GitHub.