2011-01-15

Use Google Authenticator to login to a Linux PC

Google recently announced two-step authentication for google apps. Fortunately they started from the beginning with open-source code, and released a PAM module that allows us to use it for something else: use a Time-based One-time Password (TOTP) to login to your Linux PC.
TOTP algorithm is still a draft RFC:
TOTP(K,T) = Truncate(HMAC-SHA-1(K,T))
K shared secret between client and server; each TOTP
generator has a different and unique secret K.

T value derived from a time reference.
The TOTP is valid only for one login, and for a short period(usually around 60s), that means that both clocks must be in sync.
The Google implementation also allows one-time scratch codes that can be used if some clock happen to be out of sync, or your phone just doesn't work when you need it.

To configure:
1 - Install Google Authenticator on a Android or Blackberry phone.

2 - Install the Google Authenticator PAM at your linux PC.
3 - Generate the key and provision it to the phone.
4 - Set Linux authentication to use this PAM module.

To authenticate:
1 - Generate the TOTP with the phone.
2 - Use it like a password.

This are the detailed instructions for Ubuntu 10.10 and Android 2.2:


To configure:

1 - Go to the Market app on the phone and search for "Google Authenticator". Install it.
2 - Open a console and type:


To install all the needed dependencies:

sudo apt-get install mercurial libqrencode3 libpam0g-dev
To checkout the Google Authenticator PAM module source code:
hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator
To compile and install[1]:
cd google-authenticator/libpam/
make

make install
Delete the source:
cd ../.. rm -r google-authenticator/
3 - Type:
nuno@test-box1:~$ google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/nuno@test-box1%3Fsecret%3DIVCTSZVKG6ZJZ5P4




















Your new secret key is: IVCTSZVKG6ZJZ5P4

Your verification code is 853162
Your emergency scratch codes are:
70581448
65775471
40949450
81754434
11625120

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
nuno@test-box1:~$
Open the Google Authenticator at your phone and create an account, scanning the barcode.

4 - Type:
sudo bash -c 'cat >/usr/share/pam-configs/google-all <<EOF
Name: Google Authenticator (all)
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
required pam_google_authenticator.so
EOF'

sudo bash -c 'cat >/usr/share/pam-configs/google-enough <<EOF
Name: Google Authenticator (enough)
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
sufficient pam_google_authenticator.so
On the next step you have to decide how you prefer to authenticate. Using only the TOTP, having to enter both the TOTP and the password, or just any of them.
For TOTP only:.................select google-enough, deselect unix
For TOTP or Password:.......select google-enough, select unix
For TOTP and Password [2]:.select google-all, select unix
sudo pam-auth-update
This is all. You can also login with TOTP remotely using ssh, without any change to openssh-server.
If you want to use different authentication schemes for local and remove login, you have to tweak with /etc/pam.d/*. The documentation is not very good, so good luck.
If you have any corrections or improvements please leave a comment.

Thanks for reading!

[1] - I didn't need to type "sudo" before "make install" although some files end up in system locations. If you know why I didn't need to invoke the Lord's name, please leave a comment!
[2] - This will work fine for Gnome login or sudo authentication, both of them will prompt for both codes. On the other hand it will not work for authentication on sshd or Synaptic Package Manager.

6 comments:

Teque5 said...

Great tutorial, but one question:

If two different users are SSHing into a box with this installed, do they share the same google authenticator key?

Unknown said...

No. Authentication is based on the ~/.google_authenticator file that is different for any user.
If I remember that file will have the secret key and emergency scratch codes for that specific user.

Anonymous said...

Works perfect on 11.10. Thank you!!

Anonymous said...

forgot to say on 11.10 you don't have to compile..

sudo apt-get install libpam-google-authenticator

then, just run 'google-authenticator' to generate the code to use to setup your phone

Thanks again!

Anonymous said...

You cannot escape the responsibility of tomorrow by evading it today. -Abraham Lincoln

Anonymous said...

Thanks for your nice experience to share with us. Really awesome article with plenty of informative things to be known for us.