Use Google Authenticator to login to a Linux host

Found on http://dokuwiki.pcfreak.de/doku.php?id=public:linux:google-authenticator

The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM). One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth).

These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238. This project currently offers mobile application implementations of HOTP/TOTP for Android, iOS, and Blackberry, as well as a PAM module.

https://code.google.com/p/google-authenticator/

Hint for SSH Logins

Some services e.g. SSH need an explicit configuration to use PAM. To be able to use the Google Authenticator PAM Module via SSH you have change/verify 2 lines in your SSH Daemon configuration file. On Ubuntu this is /etc/ssh/sshd_config

Make sure the file contains the following 2 lines:

ChallengeResponseAuthentication yes
UsePAM yes

Before going live, make sure you have a second shell open where you can change back to the original settings if something fails

Enable Google Authenticator for PAM unix logins

Create package-supplied authentications profiles Create the following file /usr/share/pam-configs/google-enough with this content:

Name: Google Authenticator (enough)
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
sufficient pam_google_authenticator.so

Since we created authentication profiles we can simply use the following command

sudo pam-auth-update

to configure the central authentication policy for the system which now contains "Google Authenticator (enough)" as created before.

For Google Authenticator OR password:

[*] Google Authenticator (enough)              
[*] Unix authentication