Google Authenticator

Posted by zbrom on June 26, 2021 · 3 mins read

Google Authenticator is open source software, currently licensed under the Apache 2.0 license. It is an excellent supplement to a working RSA model for additional security measures. It utilizes one-time passcodes (OTP) to provide authentication.

ghorr no longer recommends using the Google Authenticator Android app because the application is no longer open source. andOTP is now recommended, which is Free and Open Source Software (FOSS), available on FDroid.


Setting up Google Authenticator

Installing Google Authenticator

You can easily install google-authenticator-libpam-hg from AUR using yaourt:

yaourt -S google-authenticator-libpam-git

Adjusting the SSHD and PAM configuration files

Open /etc/ssh/sshd_config with your favorie text editor

nano /etc/ssh/sshd_config

Make sure that ChallengeResponseAuthentication is set to yes.

Next you have to edit /etc/pam.d/sshd. We are only interested in the lines starting with auth.

nano /etc/pam.d/sshd

If you want to have to enter both your regular password and a one-time password to login, change the configuration like this:

auth required pam_unix.so
auth required pam_google_authenticator.so
auth required pam_env.so

Warning: Every user who has not yet generated a secret file will no longer be able to login via SSH.

If you want to be able to login using your regular password or a one-time password, change the configuration file like this:

auth sufficient pam_unix.so
auth sufficient pam_google_authenticator.so
auth required pam_env.so

Using Google Authenticator

Just run the command google-authenticator as the user you want to generate the secret for and follow the instructions.

google-authenticator

You probably want to install the andOTP app for Android to generate your one-time passwords.

google-authenticator will show you a QR-code you can scan on your phone if you have installed the qrencode packge. Otherwise you have to enter the secret key manually on your phone.

If an one-time password is required for logging in, you should print out your emergency codes and store them in a safe place.

Removing Google Authenticator

These are the defaults for the changed parts of the configuration files:

nano /etc/ssh/sshd_config

Set ChallengeResponseAuthentication to no

nano /etc/pam.d/sshd

Code:

auth required pam_unix.so
auth required pam_env.so

References

https://wiki.archlinux.org/title/Google_Authenticator