- This article applies to Debian based Linux and Ubuntu variants
- Does not work if the user's home drive is encrypted
I will be demonstrating how to use the Google authenticator PAM module for 2 factor. Google uses a time based OPT algorithm and it does not phone home to work. You will need an Android or iOS device with the Google Authenticator app installed.
Install the Google authentication module by opening terminal and typing in:
sudo apt-get install libpam-google-authenticator
Generate Autehntication Key by running this command:
Follow the instructions to generate a key by pressing "y". Copy the secret key, the verification code and the scratch codes and store it securely. Scan the bar code from the app on your phone to initialize the code. Please note at this point we have installed the module and generated a key only. We still have to enable the PAM for SSH login manually. The steps below updates the "pam.d" config file to allow "pam_google_authenticator.so" and "sshd_config" to set "ChallengeResponseAuthentication yes" and then restarts the SSH service.
Open pam.d/ssh with vi or nano:
sudo nano /etc/pam.d/sshd and add the line
"auth required pam_google_authenticator.so"
Open sshd_config and locate ChallengeResponseAuthentication line, and edit it to say:
sudo nano /etc/ssh/sshd_config
Restart SSH service:
sudo service ssh restart
Next time you SSH in you will be prompted for your password and the OTP before you are authenticated.