Desktop Ubuntu 20.04.3 LTS Login

How can I make a login into my desktop Ubuntu 20.04.3 LTS only from my office and block it off from anywhere else?

You may want to setup a Two-Factor Authentication (2FA) system such as Google Authenticator. In this way, you'd have to use a time-based code from your phone in addition to your password each time you want to login. Without the codes provided by your phone, no one will be able to login into your system.

Instructions for Ubuntu 20.04.3:

1. Install Google Authenticator on your phone (Android) (iOS).

2. Make sure Ubuntu is fully updated:

sudo apt update
sudo apt upgrade

3. Install Google Authenticator in Ubuntu:

sudo apt install libpam-google-authenticator

4. Now you have to configure Google Authenticator. You do this for the current user, so no sudo here. For this, enter the command:

google-authenticator

5. To the question Do you want authentication tokens to be time-based (y/n), answer “yes” by pressing Y and then Enter.

6. Now the Terminal will print a QR code (a big one), followed by your secret key and emergency codes. Scan the QR code or enter your secret key into the Google Authenticator app on your phone. Also, print or write down these codes and keep them in a safe place. You will need these codes to access your computer in case you lose your phone.

7. Answer the next four questions according to your preferences. It is safe to select "yes" to all four of them, again by pressing Y and then Enter, but you can select whatever suits you the most.

Note: If you have multiple users in your system which are allowed to login, you will need to configure google-authenticator (steps 4 to 7) for each of them before continuing with the next steps.

8. Now you have to edit the /etc/pam.d/common-auth file to configure your system to use Google Authenticator for authentication. To do this, enter in the Terminal:

sudo nano /etc/pam.d/common-auth

9. In the nano text editor that opens, use the arrow keys to go down to the line that says:

# here are the per-package modules (the “Primary” block)

10. Add the following line below that one:

auth required pam_google_authenticator.so

It should look like this:

11. Save the file by pressing CTRL+O, then Enter. Do not close the file or this Terminal yet!

12. Open a different Terminal and try your setup by running sudo whoami. You should be asked for your verification code from your phone, then for your password. If authentication is successful, you can proceed. If not, comment the line that you just inserted in /etc/pam.d/common-auth by inserting a # in front of it, then save the file again by pressing CTRL+O, then Enter. Something was wrong with your setup.

13. Finally close the file by pressing CTRL+X.

Caution! For SSH access, you also need to edit the /etc/ssh/sshd_config file and change ChallengeResponseAuthentication from no to yes, then restart the ssh service, i.e. sudo service ssh restart. Otherwise you won't be able to login via SSH.

After you follow these steps, your system will first ask you for the Verification Code from your phone before letting you enter your password whenever it is required to do so (for login, unlock, su, sudo, ssh, etc.).

If you ever lose your phone, use the secret key to configure Google Authenticator on a new phone. Alternatively, you can use one of the recovery keys to login, then run google-authenticator again to setup a new secret key with your new phone.

Source: How To Enable Two Factor Authentication On Linux To Log In (AddictiveTips)