🎰Google Authenticator

Setting Up Google Authenticator for Two-Factor Authentication on Linux

Introduction

In this course, you will learn how to set up Google Authenticator on a Linux system to add an extra layer of security through Two-Factor Authentication (2FA). 2FA provides an additional level of security by requiring users to enter a time-based one-time password (TOTP) in addition to their regular password.

Prerequisites

Before getting started, make sure you have:

• A Linux-based system with administrative privileges.

• Internet connectivity to update and install packages.

• SSH access to the server (optional but recommended).

Installation & Setup

Update and Upgrade

First, let's ensure that your system is up to date:

sudo apt-get update && sudo apt-get upgrade -y

Install Google Authenticator

To install Google Authenticator, use the following command:

sudo apt install libpam-google-authenticator

Configure Google Authenticator

Run the following command to configure Google Authenticator for your user:

google-authenticator

This command will guide you through the setup process, generating a secret key and presenting QR codes for scanning into your authenticator app.

Enable 2FA for SSH

Now, we'll enable 2FA for SSH by modifying the PAM configuration file. Open the file for editing:

sudo nano /etc/pam.d/common-auth

Add the following lines to the file:

auth required pam_google_authenticator.so nullok
auth required pam_permit.so

Save and exit the editor.

The nullok option is used to specify that if a user hasn't set up Google Authenticator (i.e., they haven't run google-authenticator to configure it), they can still log in without two-factor authentication (2FA) if they choose not to use it.

Here's what nullok does in this context:

• If nullok is present, it means that users who haven't set up Google Authenticator (haven't created their TOTP keys and linked them to their accounts) can still log in using just their regular password. This can be useful during the initial setup phase or if not all users are required to use 2FA.

• If nullok is not present (i.e., the line is just auth required pam_google_authenticator.so), then any user who hasn't configured Google Authenticator will be denied access when attempting to log in, as 2FA would be required for all users.

Whether you include nullok or not depends on your security policy and the requirements of your system. If you want to enforce 2FA for all users, you can omit nullok. If you want to allow users to use 2FA optionally, you can include nullok.

Restart SSH Service

To apply the changes, restart the SSH service:

sudo service sshd restart

Disabling 2FA for a User

To disable 2FA for a specific user, you can remove the Google Authenticator configuration from the user's account.

Here are the steps:

1. Remove the .google_authenticator file from the user's home directory.

rm .google_authenticator

1. Optionally, remove the entry for the user from the ~/.ssh/authorized_keys file if it contains the google-authenticator directive.

Removing Google Authenticator

If you want to remove Google Authenticator completely from your system, follow these steps:

1. Uninstall the Google Authenticator package:

sudo apt remove libpam-google-authenticator
sudo apt purge libpam-google-authenticator
# or
sudo apt-get remove --auto-remove libpam-google-authenticator
sudo apt-get purge --auto-remove libpam-google-authenticator

1. Optionally, remove any remaining configuration files:

sudo rm /etc/google-authenticator

1. Restart the SSH service to ensure changes take effect:

sudo service sshd restart

Conclusion

Congratulations! You've successfully set up Google Authenticator for Two-Factor Authentication on your Linux system. From now on, when you log in via SSH, you'll be prompted to enter a one-time code from your authenticator app in addition to your password.

Remember to keep your authenticator app and secret key secure to ensure the effectiveness of 2FA.