How to Log in to Linux Desktop with Google Authenticator

Have you ever wondered how to provide additional security to your Linux desktop? Google Authenticator can help provide a two-step authentication process that requires both an authentication token and your password to log into your Linux desktop. This would require that an attacker know both your password and have your authentication device to successfully log in to your system.

A pluggable authentication module (PAM) is a way to integrate authentication methods into an API that enables different programs to be developed independent of the underlying OS authentication scheme. Linux provides a PAM system which we would take advantage of in this tutorial to integrate an additional check, along with user password, to grant access to the system.

For this tutorial we use an Ubuntu 14.04 LTS laptop, Google Authenticator, and an android smartphone. Using the process described in this tutorial does not require your laptop to have an Internet connection for login. Nor does Google have access to your generated tokens.

The first step will be to install the appropriate PAM, in this case, Google Authenticator. To install, type the following in a terminal:

sudo apt-get install libpam-google-authenticator

The complete source for the Google Authenticator PAM is available on GitHub.

Install “Google Authenticator” on your Android device from the Play store (Also available for iOS and Blackberry)

Install 'Google Authenticator' on your android device.

To create your authentication keys, run the following command in your terminal:

google-authenticator

Create your authentication keys.

This command does not need to be run as root. We are creating a time-based authentication model, so answer “y” to the first prompt, and then read and answer the following prompts. They are quite explanatory. Note the emergency scratch codes, and write them down and store in a secure place. You can use these to log in if you lose your token device (phone).

Open the Google Authenticator app on your phone, and enter the secret key generated above (or scan the displayed barcode).

Open the Google Authenticator app and enter the secret key generated.

Each user account that requires a two-factor authentication must then perform both steps (run google-authenticator, and input the secret key in the Google Authenticator app).

Before you enable two-factor authentication, note that you would be unable to log into your system if your configuration fails for some reason. It is advisable that you enable graphical login first, reboot and confirm that it works, before enabling virtual terminal authentication. This ensures that you can log in via a virtual terminal and disable/deactivate authentication by deleting the configurations below.

To enable authentication for graphical login, open the LightDM PAM file for editing with the following command:

sudo nano /etc/pam.d/lightdm

and add the following line to the end of the file:

auth required pam_google_authenticator.so nullok

The nullok bit at the end of the line indicates that users who haven’t set up Google Authenticator should be allowed to log in without requiring two-factor authentication.

At this point, you can log out and attempt to log back in.

To enable authentication for other types of logins, add the line:

auth required pam_google_authenticator.so

to the relevant /etc/pam.d file(s).

If your TOTP code doesn’t work, it is most likely caused by your phone and computer having different times. Syncing both device times, or increasing the skew time (during initial setup), can help.

If you use home directory encryption, you might have to store each user’s .google_authenticator secret file outside their home directory or decrypt the home directory before asking for the OTP code.

More information can be found in the GitHub README.

Setting up a system to use Google Authenticator time-based one-time password two-factor authentication is straightforward and provides an additional level of security.