How to Use Google Authenticator for login to Linux
Using the password to protect your account has become an important issue. With the provision of two-step authentication services, Google has made a huge contribution to protecting users against hacking.
A second-tier two-step authentication service is used to identify your account when logging into an account.
If you have activated this service for your Gmail account, each time you log in, the code will be sent to your mobile number; by entering this code, the identification will be done and directed to your account.
Google has just launched an app called Google Authenticator for Android and iOS platforms. In fact, the program generates valid or token codes using the Time-Based One-Time Password algorithm.
The codes generated by this algorithm are only available once and are valid until limited time.
With this app, you can define a particular application, a Gmail account, and another service for using token codes.
In this post, we will use the Google Authenticator app for login to Kali Linux and Ubuntu.
Kali Linux normally uses the logon graphic. Use the default root and toor password to enter the root; you may have changed this information during installation.
Prepare the Linux kernel
In all Linux distributions, before installing any program and package, the system kernel must be up and running.
You may have encountered an error while installing Google Authenticator, for this reason, first go through the steps below. First, install the gedit text editor;
Of course you do not need to install gedit and you can use the default caliber editor vim. By gedit, open the file.list and apply changes;
The source file contains a list of Kali Linux headers for the operating system update; in fact, Kali is updated with these resources.
Kali Linux is based on Debian; therefore, the deb is written at the beginning of the source. Add the following headers to the end of this list and save them.
You must update the kernel with each change you make to the system; use the command below to update.
After updating the kernel, it is time to install the headers. The headers in the source.list file must be identified by the kernel; use the following command.
If you have already updated your system, you do not need to repeat these commands. Be sure to note that all commands are also available on Ubuntu.
If you use Redhat, Fedora, and CentOS, the commands will be different, and you’ll need to use yum instead of apt-get.
Install Google Autocutcher
All of these steps are tested on Ubuntu on April 14, with Unity’s user interface and LightDM login management. The routine of work in other distributions is the same.
You can also install two-step authentication for the SSH service, but in desktop mode, you must install the PAM software or authentication module to run this feature.
PAM is a system that can be used by various authentication methods in Linux.
In Ubuntu, the following command installs Google’s PAM software. Open the terminal window and enter the following command.
You probably need to enter a password; be sure to note that in Kali, you are the root user by default, so you do not need to enter a password.
Similarly, you can install in Kali;
Generate Authentication Codes
At this point, the Linux code should be generated to enter it in the Google Authenticator app. To do this, first open the terminal in your system and enter the following command:
In this step, you will be asked a number of questions about code generation with a time limit; answer y, which means yes, to all questions. In the end, your system will provide the special code as below.
If multiple users simultaneously use the system, repeat all these steps for each one.
Install the Google Authenticator app on your phone; after installing the generated code in the app;
As shown in Figure 3, enter the code generated in the caliber system, then the Token app produces a time-limit. You will use this token to login to the system.
As mentioned earlier, this method can also be used for SSH services for logins, but because we have explained the logon in this post, some unwanted problems may occur. To avoid these problems follow the steps below;
Among these problems, the logon is through the Linux terminal; you can log in without using a graphical interface.
In the way described, it only works for the graphical interface; so if someone has access to your system, it will only penetrate your system with the help of the terminal without the need for an authentication code.
To resolve this issue, run the following commands in the Ubuntu system with the LightDM login interface.
This command opens the lightdm file containing the login settings. Inside this file add the following code:
auth required pam_google_authenticator.so null
If nullok exists in the command, users who do not even have an authentication code will log in.
To avoid this, delete the nullok and add the lightdm file. From now on, only users with an authentication code will log in.
After entering the Ubuntu password, you will see the above page. You can pass this step with the code that you create the app.
If you have selected Home Directory Encryption while installing Ubuntu, you may have trouble at this stage. By choosing this option, the directory of the home or the place where the system files are located in Linux is encrypted.
Since the PAM software keeps its token files in this directory, it may be interrupted by encryption by Linux.
For this reason, in systems where Home Directory Encryption is not active, the authentication app will work better.
We have enabled Google’s authentication only for the graphical interface, but in the event of a problem with the PAM service, it can be penetrated through the terminal.
To prevent logging by the terminal, first press the ctrl + alt + F2 keys to open the virtual terminal; log in with your username and password for Ubuntu account. Enter the following command in the terminal:
sudo nano /etc/pam.d/lightdm
This command opens the lightdm file, we will clear the code that came with the steps above. In the nano editor, after pressing the combination buttons, press ctrl + X, then enter y.
If you want to increase the login security, you must also make changes to the PAM file. By adding the following code, for each login type you must enter the authentication code:
auth required pam_google_authenticator.so
Note that if you add code that has access to the code generated by the application, you can delete nullok from the end of the command if you want other network users to not log in.