Secure Logins with Google Authenticator
IN THIS AGE OF MULTI- CORE PROCESSORS and easy-to-use password-cracking tools, locking access to your computer (and all the data it holds) with a password alone simply doesn’t cut the mustard anymore. If you’re really concerned about unauthorized access to your computer, you should definitely add an additional layer of authentication. One of the easiest mechanisms with which to implement such a two-step verification is the Google Authenticator service, which issues a time-based authentication token to supplement the existing password challenge.
Once you’ve integrated the service with your Ubuntu login, in addition to your user password, you’ll be prompted for one of the quickly expiring tokens before being allowed to log in. Google Authenticator generates these OTPs (one-time passwords) on your Android device once it’s been configured for every user on your Ubuntu machine. –MAYANK SHARMA
1 OPEN SESAME To implement multi-factor authentication, you need the Google Authenticator PAM (pluggable authentication module). A PAM is a mechanism used to plug different forms of authentication into a Linux computer.
>> The Google Authenticator PAM module is available in the official Ubuntu software repositories. To install the package on Ubuntu, head to the Terminal and type:
$ sudo apt-get install libpam-google-authenticator
>> Once the package has been installed, make sure you’re logged in as the user you want to protect with the two-factor authentication. Now, in the Terminal window, type:
$ google-authenticator
>> This initiates the process of creating a secret key for the user by asking a bunch of questions. While it’s safe to answer yes to them all, it’s a good idea to understand each one before making your final choice, as these choices help balance security with ease of use. The first question is pretty safe, and you should allow the command to update your Google Authenticator file by answering yes.
>> You’re then asked whether you would like to restrict the use of a token, which forces you to wait for 30 seconds between logins. While it might seem a little inconvenient at first, you should agree to this limitation for maximum protection. The next question asks for permission to increase the time window that tokens can be used for from the default 1:30 minutes to 4:00 minutes. Although you can answer yes to this question to avoid any issues, type “no” for maximum security. If you notice any issues later on, rerun the command, and increase the expiration time as suggested. The fourth and final question asks you to limit the number of attempts for entering the authentication code. You should definitely enable this option, because it helps prevent brute-force login attacks. 2 BOOK OF CODEX When it’s done, Google Authenticator presents you with a secret key and several emergency scratch codes. Make sure that you note down these emergency scratch codes somewhere safe. They’ll help you log in if you ever misplace the Android smartphone that generates the OTP. Each code can only be used once.
The google-authenticator command also generates a QR code [ Image A], which you can scan with your Android smartphone. However, because we haven’t installed the app on our phone yet, just note down the 16-digit code for the time being.
Now repeat this process for each user account that uses your computer. Ask everyone you share the computer with to log in to their account, run google-authenticator, and make a note of their respective emergency scratch codes, along with the 16-digit code.
After you’ve generated the authentication code for all users, it’s time to configure the login process to work with Google Authenticator. All you need to do is edit one file to add two-step authentication for all login attempts. Again, fire up the Terminal, and type:
$ sudo nano /etc/pam.d/common-auth
Scroll right down to the end of the file, and add the following line:
auth required pam_google_authenticator.so nullok
Then save the file and exit. Here we’ve asked Ubuntu to use the Google Authenticator PAM module for all login attempts. The “nullok” bit at the end of the file asks
Ubuntu to allow a user to log in even if they haven’t run the google-authenticator command to set up two-factor authentication. So, let’s assume you have two users—amber and megan—and have set up Google Authentication only for amber. Thanks to nullok, while amber has to enter the OTP to access the system, megan can log in with just her password.
Note, however, that while this is a useful flexibility to have while you’re testing Google Authenticator, once everything works smoothly, and you have no issues logging in with the two-factor authentication, it’s advisable to force all users to log in through Google Authenticator—you do this simply by removing the “nullok” bit for this command. 3 GO GO GADGET Your Ubuntu installation is now all set up for two-factor authentication. To receive the OTPs, you now have to install the Google Authenticator app from the Google Play Store on your Android smartphone. After installing the app, you have to add an account for all the users you’ve run the google-authenticator command for on your Ubuntu installation [ Image B].
To do this, open the app, and from the main window, tap the menu button (the three vertical dots in the upper-right corner). Here, tap “Set up account,” and then select the “Enter key provided” option. Now enter the 16-digit secret key that you noted earlier, after you had run through the google-authenticator tool. Give the account a name (a good idea is to use the username of the account this is for), and tap the “Add” button.
You’ve now set up two-factor authentication on your computer. The Android app generates a new six-digit code every 30 seconds. When you log in to your account or enter a sudo command, Ubuntu prompts for your password, and you’re then asked to enter the authentication code. At this point, enter the digits currently on display in the Android app.
Once you’ve logged in successfully, make sure you edit the “etc/pam.d/common-auth” file, and remove the “nullok” option, to force login through Google Authenticator. Also, remember to create an account in the Android app for all the users on your Ubuntu installation.
Going through the additional security might seem like a hassle, especially when you need to switch to sudo to quickly edit a configuration file. But if you’re using the computer in a public place, you’ll quickly learn to appreciate the benefits of two-factor authentication.