Ubuntu Google Authenticator

Did you know that you can log in to your Linux system using Google Authenticator, Google Authenticator is a time base token which gives you more security when you or someone will have to login. This will give to your system additional security, meaning that if anyone will want to brake your username and password actually he will have to break a very hard algorithm which is not easy to do.

You will need on your phone the Google Authenticator app or any compatible app that implements the TOTP authentication scheme.

Install the Google Authenticator PAM

First we need to install the PAM (pluggable-authentication module) software. PAM is a system that will allow to plug different types of authentication methods when we will have to login in Linux.

For Ubuntu following command will install the Google Authenticator PAM. Open your Terminal and type the following command and provide your root password.

sudo apt-get install libpam-google-authenticator

For other Linux distributions you will have to check if they already have this package, if not you will have to download it manually from GitHub and compile it before installing.

When you login with Google Authenticator will be used a standard TOTP algorithm which will make sure to secure your computer even when the computer is not connected to the internet.

Create Authentication Keys

Now we will have to create a secret authentication key and write it into the Google Authenticator application, or other compatible application on your phone.

On your Linux open the terminal window and run the google-authenticator command:

google-authenticator

Type y and follow the prompts, this will create a file in your account directory which will contain your Google Authenticator information.

Also you will get a two-factor verification code into a Google Authenticator or similar TOTP app on your phone. The system can generate a QR code which you can scan or type it manually.

When typing you will see Your Emergency Scratch Codes, make sure that you note them down in case you will loose your phone. The Scratch Codes will allow you to log into your Linux system.

You can do it for all users using your computer, if you have more users who use it.

Enter the secret key in the Google Authenticator app on your phone, the app is available for Android, iOS and BlackBerry.

google authenticator app screenshot

Now on your phone you will have a constantly changing verification code which you will use to login every time.

Run this command for each user you want to have access login, and each user will have their own secret key and qr codes.

Enable Google Authenticator for Graphical Login

You will have to enable Google Authenticator for graphical login, also you can always switch to login from virtual terminal.

I would recommend for security reasons to use two-factor authentication which is more effective for remote logins via SSH, here is how to do it:

Open the LightDM file in terminal for editing:

sudo gedit /etc/pam.d/lightdm

Add the following line to the end of the file and save it:

auth required pam_google_authenticator.so nullok

The next time you will login graphically, you will be asked for a password and then prompted for a verification code on your phone. If you will not write the verification code you will not be allowed to log in.

Ubuntu Google Authenticator

You can use Google Authenticator on all Linux distributions, but installing it on a different distro can look different, so do not try it until you are sure that you will be able to restore everything in something wrong happens.

Leave a Reply