2FA Ubuntu Desktop

In this small blog post I want to show how to enable 2FA in Ubuntu Desktop.

Prerequisites

1. Ubuntu Desktop installed on a VM or physical hardware
2. Access to a user with sudo rights

Setup

1. Log in with a user that has sudo rights.

2. Open the terminal and install the following package:

   sudo apt install libpam-google-authenticator

3. After the installation we need to add the following line of code into this config file /etc/pam.d/common-auth:

   sudo nano /etc/pam.d/common-auth

   Add the following line of code at the end of the config file:

   auth    required                        pam_google_authenticator.so echo_verification_code

   Save and close the nano text editor with Ctrl+O and Ctrl+X

4. Setting up 2FA for the current user. For that put the following command into the terminal and hit enter:

   google-authenticator

5. Now you get to answer a few questions:

   Do you want authentication tokens to be time-based (y/n) y

6. Now the program has generated a QR-Code that you need to scan with a 2FA App that you need to download for your smartphone:

   F-Droid:

   • Aegis Authenticator - 2FA App

   Google Play:

   • Aegis Authenticator - 2FA App
   • Google Authenticator

   After downloading an app, please scan the qr-code with one of these apps.

   Now you need to verify the correct setup of the app by typing the 6-digit 2FA code from your app into the terminal of your Ubuntu Desktop machine. Please write down your emergency scratch codes for this account. With these codes you can gain access without the 2FA Codes from your Smartphone app (emergency).

   Enter code from app (-1 to skip): 527250
   Code confirmed
   Your emergency scratch codes are:
     23231488
     76147310
     44302760
     67489244
     72861528

   
   Save the config in your home directory:

   Do you want me to update your "/home/suitdeer/.google_authenticator" file? (y/n) y

   
   Disallow same authentication token for multiple uses:

   Do you want to disallow multiple uses of the same authentication
   token? This restricts you to one login about every 30s, but it increases
   your chances to notice or even prevent man-in-the-middle attacks (y/n) y

   
   Disable grace period (my opinion):

   By default, a new token is generated every 30 seconds by the mobile app.
   In order to compensate for possible time-skew between the client and the server,
   we allow an extra token before and after the current time. This allows for a
   time skew of up to 30 seconds between authentication server and client. If you
   experience problems with poor time synchronization, you can increase the window
   from its default size of 3 permitted codes (one previous code, the current
   code, the next code) to 17 permitted codes (the 8 previous codes, the current
   code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
   between client and server.
   Do you want to do so? (y/n) n

   
   Enable rate limiting:

   If the computer that you are logging into isn't hardened against brute-force
   login attempts, you can enable rate-limiting for the authentication module.
   By default, this limits attackers to no more than 3 login attempts every 30s.
   Do you want to enable rate-limiting? (y/n) y

   Enable 2FA for other users on this machine

   1. Log in with the user you want to enable 2FA.
   2. Repeat the steps 4 to 6 of the setup process.