Use Google Authenticator to login to a Linux PC

Google recently announced two-step authentication for google apps. Fortunately they started from the beginning with open-source code, and released a PAM module that allows us to use it for something else: use a Time-based One-time Password (TOTP) to login to your Linux PC.

TOTP algorithm is still a draft RFC:

TOTP(K,T) = Truncate(HMAC-SHA-1(K,T))

K shared secret between client and server; each TOTP
generator has a different and unique secret K.

T value derived from a time reference.

The TOTP is valid only for one login, and for a short period(usually around 60s), that means that both clocks must be in sync.
The Google implementation also allows one-time scratch codes that can be used if some clock happen to be out of sync, or your phone just doesn't work when you need it.

To configure:
1 - Install Google Authenticator on a Android or Blackberry phone.
2 - Install the Google Authenticator PAM at your linux PC.
3 - Generate the key and provision it to the phone.
4 - Set Linux authentication to use this PAM module.

To authenticate:
1 - Generate the TOTP with the phone.
2 - Use it like a password.

This are the detailed instructions for Ubuntu 10.10 and Android 2.2:

To configure:
1 - Go to the Market app on the phone and search for "Google Authenticator". Install it.
2 - Open a console and type:

To install all the needed dependencies:

sudo apt-get install mercurial libqrencode3 libpam0g-dev

To checkout the Google Authenticator PAM module source code:

hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator

To compile and install[1]:

cd google-authenticator/libpam/
make
make install

Delete the source:

cd ../.. rm -r google-authenticator/

3 - Type:

nuno@test-box1:~$ google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/nuno@test-box1%3Fsecret%3DIVCTSZVKG6ZJZ5P4




















Your new secret key is: IVCTSZVKG6ZJZ5P4
Your verification code is 853162
Your emergency scratch codes are:
70581448
65775471
40949450
81754434
11625120

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
nuno@test-box1:~$

Open the Google Authenticator at your phone and create an account, scanning the barcode.

4 - Type:


sudo bash -c 'cat >/usr/share/pam-configs/google-all <<EOF
Name: Google Authenticator (all)
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
required pam_google_authenticator.so
EOF'

sudo bash -c 'cat >/usr/share/pam-configs/google-enough <<EOF
Name: Google Authenticator (enough)
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
sufficient pam_google_authenticator.so

On the next step you have to decide how you prefer to authenticate. Using only the TOTP, having to enter both the TOTP and the password, or just any of them.
For TOTP only:.................select google-enough, deselect unix
For TOTP or Password:.......select google-enough, select unix
For TOTP and Password [2]:.select google-all, select unix

sudo pam-auth-update

This is all. You can also login with TOTP remotely using ssh, without any change to openssh-server.
If you want to use different authentication schemes for local and remove login, you have to tweak with /etc/pam.d/*. The documentation is not very good, so good luck.
If you have any corrections or improvements please leave a comment.

Thanks for reading!

[1] - I didn't need to type "sudo" before "make install" although some files end up in system locations. If you know why I didn't need to invoke the Lord's name, please leave a comment!
[2] - This will work fine for Gnome login or sudo authentication, both of them will prompt for both codes. On the other hand it will not work for authentication on sshd or Synaptic Package Manager.