Google Authenticator for Desktop (lightdm or gdm plugin)
There has a been a similar question, but that's not exactly what I want.
I'd like to know if there is a plugin, or add-on, for lightdm or gdm that allows me to authenticate using my password AND google authenticator. I'm talking about entering your GA code into the desktop login -- both GUI or command line, shell login -- in order to gain access to your local desktop.
Installation
Install the Google Authenticator PAM-module like this:
sudo apt-get install libpam-google-authenticator
Now run google-authenticator
(inside a terminal) for every user you want to use Google Authenticator with and follow the instructions. You will get a QR-Code to scan with your smartphone (or a link) and emergency-codes.
Configuration
To activate Google Authenticator look inside the directory /etc/pam.d/. There is a file for every way to authenticate with your computer. You need to edit the configuration files for every service you want to use with Google Authenticator with. If you want to use it with SSH, edit sshd, if you want to use it in LightDM, edit lightdm. In those files, add one of the following lines:
auth required pam_google_authenticator.so nullok
auth required pam_google_authenticator.so
Use the first line, while you're still migrating your users to Google Authenticator. Users who don't have it configured can still log in. The second line will force the usage of Google Authenticator. Users who don't have it, can't log in anymore. For sshd it is quite crucial you put the line at the top of the file to prevent brute-force attacks on your password.
To add it to LightDM you could run this:
echo "auth required pam_google_authenticator.so nullok" | sudo tee -a /etc/pam.d/lightdm
Now when you log in you will get seperately asked for your password and the 2-step authentication code.
Encrypted home directories
If you use home-encryption (ecryptfs) the file $HOME/.google_authenticator will not be readable for the PAM-module (because it is still encrypted). In this case you need to move it somewhere else and tell PAM where to find it. A possible line could look like this:
auth required pam_google_authenticator.so secret=/home/.ga/${USER}/.google_authenticator
You need to create a directory for every user in /home/.ga that has the users name and change the ownership of that directory to the user. Then the user can run google-authenticator
and move the created .google-authenticator file to that directory. The user could run the following lines:
sudo install -g $(id -rgn) -o $USER -m 700 -d /home/.ga/$USER
google-authenticator
mv $HOME/.google_authenticator /home/.ga/$USER
This will allow the module to access the file.
For other options, check out the README.
Take a look at this blog post titled: Google Two-Step Authentication On Your Desktop What is it?
Installation
sudo apt-get install libpam-google-authenticator
Usage
google-authenticator
According to the blog post there's a version of lightdm-kde that has the 2 factor authentication included which can take advantage of Google Authenticator when you add the included PAM module into your environment.
auth required pam_google_authenticator.so
Resulting in your GUI logins looking like this:
source here
Using Two-Factor authentication on ssh configured like described above here previously still leaves your system open to possible brute force attacks on your password. That could compromise already the first factor: your password. So personally I decided to add the following line not on the bottom but at the top of the /etc/pam.d/sshd
file as previously wasn't noted cleary:
auth required pam_google_authenticator.so
That results in first a prompt for your verification code, then for your password (regardless if you entered the verification code correct). With this configuration, if you entered either the verification code or password incorrectly you have to enter them both again. I agree it's a bit more of a nuisance, but hey: you wanted security or just a sense of security?