ubuntu 2Authenticator

Prévia do material em texto

How to Log In To Your Linux Desktop With Google Authenticator 
Fonte: Howtogeek.com 
 
 
For additional security, you can require a time-based authentication token as well as a password to log into 
your Linux PC. This solution uses Google Authenticator and other TOTP apps. 
This process was performed on Ubuntu 14.04 with the standard Unity desktop and LightDM login manager, but 
the principles are the same on most Linux distributions and desktops. 
We previously showed you how to require Google Authenticator for remote access via SSH, and this process 
is similar. This doesn’t require the Google Authenticator app, but works with any compatible app that 
implements the TOTP authentication scheme, including Authy. 
As when setting this up for SSH access, we’ll first need to install the appropriate PAM (“pluggable-
authentication module”) software. PAM is a system that allows us to plug different types of authentication 
methods into a Linux system and require them. 
On Ubuntu, the following command will install the Google Authenticator PAM. Open a Terminal window, type 
the following command, press Enter, and provide your password. The system will download the PAM from 
your Linux distribution’s software repositories and install it: 
sudo apt-get install libpam-google-authenticator 
 
Other Linux distributions should hopefully have this package available for easy installation, too — open your 
Linux distribution’s software repositories and perform a search for it. In a worst case scenario, you can find the 
source code for the PAM module on GitHub and compile it yourself. 
As we pointed out before, this solution doesn’t depend on “phoning home” to Google’s servers. It implements 
the standard TOTP algorithm and can be used even when your computer doesn’t have Internet access. 
Create Your Authentication Keys 
You’ll now need to create a secret authentication key and enter it into the Google Authenticator app (or a 
similar) app on your phone. First, log in as your user account on your Linux system. Open a terminal window 
and run the google-authenticator command. Type y and follow the prompts here. This will create a special 
file in the current user account’s directory with the Google Authenticator information. 
 
You’ll also be walked through the process of getting that two-factor verification code into a Google 
Authenticator or similar TOTP app on your smartphone. Your system can generate a QR code you can scan, 
or you can type it in manually. 
Be sure to note down your emergency scratch codes, which you can use to log in with if you lose your phone. 
 
Go through this process for each user account that uses your computer. For example, if you’re the only person 
who uses your computer, you can just do it once on your normal user account. If you have someone else who 
uses your computer, you’ll want to have them sign into their own account and generate an appropriate two-
factor code for their own account so they’ll be able to log in. 
SSH 
Activate Google Authenticator 
Next you’ll have to require Google Authenticator for SSH logins. To do so, open the/etc/pam.d/sshd file on 
your system (for example, with the sudo nano /etc/pam.d/sshdcommand) and add the following line to the 
file: 
auth required pam_google_authenticator.so 
Next, open the /etc/ssh/sshd_config file, locate the ChallengeResponseAuthentication line, and change it 
to read as follows: 
ChallengeResponseAuthentication yes 
(If the ChallengeResponseAuthentication line doesn’t already exist, add the above line to the file.) 
Finally, restart the SSH server so your changes will take effect: 
sudo service ssh restart 
 
You’ll be prompted for both your password and Google Authenticator code whenever you attempt to log in via 
SSH. 
 
 
 
 
 
Activate Authentication 
Here’s where things get a bit dicy. When we explained how to enable two-factor for SSH logins, we required it 
only for SSH logins. This ensured you could still log in locally if you lost your authentication app or if something 
went wrong. 
Since we’ll be enabling two-factor authentication for local logins, there are potential problems here. If 
something goes wrong, you may not be able to log in. Bearing that in mind, we’ll walk you through enabling 
this for graphical logins only. This gives you an escape hatch if you need it. 
Enable Google Authenticator for Graphical Logins on Ubuntu 
You could always enable two-step authentication for only graphical logins, skipping the requirement when you 
log in from the text prompt. This means you could easily switch over to a virtual terminal, log in there, and 
revert your changes so Gogole Authenciator wouldn’t be required if you experience a problem. 
Sure, this opens a hole in your authentication system, but an attacker with physical access to your system can 
already exploit it anyway. That’s why two-factor authentication is particularly effective for remote logins via 
SSH. 
Here’s how to do this for Ubuntu, which uses the LightDM login manager. Open the LightDM file for editing 
with a command like the following: 
sudo gedit /etc/pam.d/lightdm 
(Remember, these specific steps will only work if your Linux distribution and desktop use the LightDM login 
manager.) 
 
Add the following line to the end of the file, and then save it: 
auth required pam_google_authenticator.so nullok 
The “nullok” bit at the end tells the system to let a user log in even if they haven’t run the google-authenticator 
command to set up two-factor authentication. If they have set it up, they’ll have to enter a time-baesd code — 
otherwise they won’t. Remove the “nullok” and user accounts who haven’t set up a Google Authenticator code 
just won’t be able to log in graphically. 
 
The next time a user logs in graphically, they’ll be asked for their password and then prompted for the current 
verification code displayed on their phone. If they don’t enter the verification code, they won’t be allowed to log 
in. 
 
The process should be fairly similar for other Linux distributions and desktops, as most common Linux desktop 
session managers use PAM. You’ll likely just have to edit a different file with something similar to activate the 
appropriate PAM module. 
If You Use Home Directory Encryption 
Older releases of Ubuntu offered an easy “home folder encryption” option that encrypted your entire home 
directory until you enter your password. Specifically, this uses ecryptfs. However, because the 
PAM software depends on a Google Authenticator file stored in your home directory by default, the encryption 
interferes with the PAM reading the file unless you ensure it’s available in unencrypted form to the system 
before you log in. Consult the README for more information on avoiding this problem if your’e still using the 
deprecated home directory encryption options. 
Modern versions of Ubuntu offer full-disk encryption instead, which will work fine with the above options. You 
don’t have to do anything special 
Help, It Broke! 
Because we just enabled this for graphical logins, it should be easy to disable if it causes a problem. Press a 
key combination like Ctrl + Alt + F2 to access a virtual terminal and log in there with your username 
and password. You can then use a command like sudo nano /etc/pam.d/lightdm to open the file for editing in a 
terminal text editor. Use our guide to Nano to remove the line and save the file, and you’ll be able to log in 
normally again. 
 
 
You could also force Google Authenticator to be required for other types of logins — potentially even all 
system logins — by adding the line “auth required pam_google_authenticator.so” to other PAM configuration 
files. Be careful if you do this. And remember, you may want to add “nullok” so users who haven’t gone 
through the setup processcan still log in. 
SSH 
 
Activate Google Authenticator 
Next you’ll have to require Google Authenticator for SSH logins. To do so, open the/etc/pam.d/sshd file on 
your system (for example, with the sudo nano /etc/pam.d/sshdcommand) and add the following line to the 
file: 
auth required pam_google_authenticator.so 
Next, open the /etc/ssh/sshd_config file, locate the ChallengeResponseAuthentication line, and change it 
to read as follows: 
ChallengeResponseAuthentication yes 
(If the ChallengeResponseAuthentication line doesn’t already exist, add the above line to the file.) 
Finally, restart the SSH server so your changes will take effect: 
sudo service ssh restart 
 
You’ll be prompted for both your password and Google Authenticator code whenever you attempt to log in via 
SSH. 
 
LOGIN - TERMINAL 	
  
sudo nano /etc/pam.d/login 
auth required pam_google_authenticator.so