Use Google Authenticator to login to a Linux host
Found on http://dokuwiki.pcfreak.de/doku.php?id=public:linux:google-authenticator
The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM). One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth).
These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238. This project currently offers mobile application implementations of HOTP/TOTP for Android, iOS, and Blackberry, as well as a PAM module.
https://code.google.com/p/google-authenticator/
Hint for SSH Logins
Some services e.g. SSH need an explicit configuration to use PAM. To be able to use the Google Authenticator PAM Module via SSH you have change/verify 2 lines in your SSH Daemon configuration file. On Ubuntu this is /etc/ssh/sshd_config
Make sure the file contains the following 2 lines:
ChallengeResponseAuthentication yes
UsePAM yes
Before going live, make sure you have a second shell open where you can change back to the original settings if something fails
Enable Google Authenticator for PAM unix logins
Create package-supplied authentications profiles Create the following file /usr/share/pam-configs/google-enough with this content:
Name: Google Authenticator (enough)
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
sufficient pam_google_authenticator.so
Since we created authentication profiles we can simply use the following command
sudo pam-auth-update
to configure the central authentication policy for the system which now contains "Google Authenticator (enough)" as created before.
For Google Authenticator OR password:
[*] Google Authenticator (enough)
[*] Unix authentication