Linux for Noobs

Linux for Noobs > Linux Stuff > Tutorials > Two-factor authentication (2FA) in Linux using Google Authenticator
Full Version: Two-factor authentication (2FA) in Linux using Google Authenticator
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

paia

15.06.2023, 04:10 PM
Google Authenticator is an application that generates one-time codes to serve as the second factor for identity verification.

Follow these steps to set up 2FA with Google Authenticator in Linux:

  1. First, you'll need to install Google Authenticator on your Linux system. You can do this using your distribution's package manager. For example, for Ubuntu or Debian, you can use the following command:

    Code:
    sudo apt install libpam-google-authenticator

  2. Modify /etc/ssh/sshd_config , change ChallengeResponseAuthentication from no to yes, so this part of the file looks like this:

    Code:
    # Change to yes to enable challenge-response passwords (beware issues with
    # some PAM modules and threads)
    ChallengeResponseAuthentication yes

  3. To use Google Authenticator for login, you need to modify the /etc/pam.d/sshd (for SSH login) or /etc/pam.d/login (for terminal login) file. Add this line at the beginning of the file:

    Code:
    auth required pam_google_authenticator.so

  4. After a successful installation, run:

    Code:
    google-authenticator


    This will start the configuration process for Google Authenticator. During the configuration, you'll be asked a series of questions.

    The first question is whether you want to generate new secret keys for Google Authenticator. Answer "y" (yes) or "n" (no) according to your choice.

    You'll then be prompted to scan a QR code using the Google Authenticator app on your mobile device. This will link your account to the app and generate one-time codes.

    Next, emergency scratch codes will be displayed. Write down or save these codes in a secure place. You can use them in case you lose access to the Google Authenticator app.

    Once the configuration is complete, you'll be asked to confirm that you want to enable Google Authenticator for login. Answer "y" (yes).

    Finally, your Google Authenticator settings will be saved in the ~/.google_authenticator file.

  5. Now you need to restart the sshd daemon using:

    Code:
    sudo systemctl restart sshd.service

  6. After making the changes, you'll need to log out and log back in to authenticate using Google Authenticator.

  7. Once 2FA with Google Authenticator is set up, you'll be required to enter your regular password and the one-time code generated by the Google Authenticator app to log in to the system. This enhances the security of your Linux system.

[attachment=10]
Linux for Noobs > Linux Stuff > Tutorials > Two-factor authentication (2FA) in Linux using Google Authenticator