How can I further secure my system using 2 factor authentication?

You can use the open-source Pluggable Authentication Module (PAM) created by Google, known as the Google Authenticator. This module is available in the standard repositories, as well as from GitHub so that you can build from source. Coupled with the Android, iOS, or Blackberry App of the same name, it creates time-based, time-sensitive codes for authentication along with your password. Since it is a PAM module, it can be dropped in pretty much anywhere. Let's get started!

Installing

To start, you can install the PAM with the following:

sudo apt-get install libpam-google-authenticator

Simple!

Setting it up:

After it's installed, you will want to also install the corresponding mobile application for Android, iOS, or Blackberry (depending on your mobile platform). Each one is useless without the other. After you have the application you need for your mobile device, run the following in a terminal:

google-authenticator

This will start by asking you a few questions The first one is the only one which you must answer "Yes" to, and it asks if you want the codes to be time-based. After that, read each question and make the choice that makes the most sense to you.

Upon completing the initial set-up, you will see a very large QR code in your terminal, as well as some other information. The line that says "Your New Secret Key Is:" is a much needed line if you don't want to use the QR code for pairing your device, so don't close this window until you are set-up! The "scratch codes" this gives you are also important, as they are what you will use to log-in if you lose your mobile device. Write them down and store them somewhere safe.

Now, on your mobile device, open your Google Authenticator application and select "Set up account". You can either scan the QR code that was generated, or select "Use provided key". If you scan the QR code, everything will be automatically saved under an account named "your_user@your_host". However, if you select "Use provided key", you will have to enter a name, key, and type of token manually. The name can be anything you wish. The key would be the secret key previously generated. The type would be the default time-based. After setting it up, you will see the account on the main pane of the Google Authenticator app, as well as a circle-shaped timer next to it. That timer depletes every 30 seconds, and a new code is generated.

Enabling it!

Here comes the magic. Since this is a PAM module, it can be used in a variety of places. I will walk through adding authentication to sudo requests, SSH log-ins, and lightdm log-in. However, after reading this tutorial, you will be able to enable it elsewhere based on the same techniques.

SSH

I'm doing this one first because there is an extra step. The first thing you need to do is to edit your SSH config file:

gksudo gedit /etc/ssh/sshd_config

Search for the line that says:

ChallengeResponseAuthentication no

and change the "no" to a "yes".

Now, you need to edit the PAM module for ssh:

gksudo gedit /etc/pam.d/sshd

At the very end of this file, add the following line:

auth required pam_google_authenticator.so nullok

The "nullok" argument tells the system to not request a verification code if a user has not set-up two factor authentication. After that edit, go ahead and restart your ssh service:

sudo service ssh restart

sudo Requests

Edit the PAM file for sudo:

gksudo gedit /etc/pam.d/sudo

Add the following line at the very end:

auth required pam_google_authenticator.so nullok

Now every sudo request will ask for a verification code as well as a password.

LightDM (GUI Log-In)

Edit the PAM file for LightDM:

gksudo gedit /etc/pam.d/lightdm

Add the following line at the very end:

auth required pam_google_authenticator.so nullok

That's it! Everytime you log-in through the GUI, it will ask for a verification code after your password.

System-Wide and TTY Log-In

Even if you enable the above methods, it still won't ask for a verification code if you switch over to a TTY with CTRL+ALT+F#. To fix this, edit the common-auth PAM file:

gksudo gedit /etc/pam.d/common-auth

and add the following line to the very end:

auth required pam_google_authenticator.so nullok

Note: Since this common-auth file is included in all other auth type files, you need to remove the auth required lines from the other files. Otherwise, it will ask for the verification code twice and not allow you to log-in after.

Wrap-Up

As you could see, it was pretty easy to add this authentication in. If you use a display manager other than LightDM, you could easily just change the lightdm line above accordingly. Since your mobile device and your system shared this secret key already, they should always be in-sync. There is no interaction with Google servers, or any other internet resource for this set-up. Even if both devices were completely offline, the verification codes that show up in your application will be correct. Whenever you need to log-in through one of the methods you've enabled, just make sure to open up your mobile application and grab the current verification code.

Have fun!!


FreeOTP is an open-source alternative to the Google Authenticator Android app on Google Play (whose current code is not open source). FreeOTP is available on F-Droid (and Google Play).