Desktop Ubuntu 20.04.3 LTS Login
How can I make a login into my desktop Ubuntu 20.04.3 LTS only from my office and block it off from anywhere else?
You may want to setup a Two-Factor Authentication (2FA) system such as Google Authenticator. In this way, you'd have to use a time-based code from your phone in addition to your password each time you want to login. Without the codes provided by your phone, no one will be able to login into your system.
Instructions for Ubuntu 20.04.3:
-
Install Google Authenticator on your phone (Android) (iOS).
-
Make sure Ubuntu is fully updated:
sudo apt update
sudo apt upgrade
- Install Google Authenticator in Ubuntu:
sudo apt install libpam-google-authenticator
- Now you have to configure Google Authenticator. You do this for the current user, so no
sudo
here. For this, enter the command:
google-authenticator
-
To the question
Do you want authentication tokens to be time-based (y/n)
, answer “yes” by pressing Y and then Enter. -
Now the Terminal will print a QR code (a big one), followed by your secret key and emergency codes. Scan the QR code or enter your secret key into the Google Authenticator app on your phone. Also, print or write down these codes and keep them in a safe place. You will need these codes to access your computer in case you lose your phone.
-
Answer the next four questions according to your preferences. It is safe to select "yes" to all four of them, again by pressing Y and then Enter, but you can select whatever suits you the most.
Note: If you have multiple users in your system which are allowed to login, you will need to configure
google-authenticator
(steps 4 to 7) for each of them before continuing with the next steps.
- Now you have to edit the
/etc/pam.d/common-auth
file to configure your system to use Google Authenticator for authentication. To do this, enter in the Terminal:
sudo nano /etc/pam.d/common-auth
- In the
nano
text editor that opens, use the arrow keys to go down to the line that says:
# here are the per-package modules (the “Primary” block)
- Add the following line below that one:
auth required pam_google_authenticator.so
It should look like this:
-
Save the file by pressing CTRL+O, then Enter. Do not close the file or this Terminal yet!
-
Open a different Terminal and try your setup by running
sudo whoami
. You should be asked for your verification code from your phone, then for your password. If authentication is successful, you can proceed. If not, comment the line that you just inserted in/etc/pam.d/common-auth
by inserting a#
in front of it, then save the file again by pressing CTRL+O, then Enter. Something was wrong with your setup. -
Finally close the file by pressing CTRL+X.
Caution! For SSH access, you also need to edit the
/etc/ssh/sshd_config
file and changeChallengeResponseAuthentication
fromno
toyes
, then restart thessh
service, i.e.sudo service ssh restart
. Otherwise you won't be able to login via SSH.
After you follow these steps, your system will first ask you for the Verification Code from your phone before letting you enter your password whenever it is required to do so (for login, unlock, su
, sudo
, ssh
, etc.).
If you ever lose your phone, use the secret key to configure Google Authenticator on a new phone. Alternatively, you can use one of the recovery keys to login, then run google-authenticator
again to setup a new secret key with your new phone.
Source: How To Enable Two Factor Authentication On Linux To Log In (AddictiveTips)