Add TOTP to Linux

This is a brief write-up on what I’ve done during tutorial assignment 2 of my system admin lecture.

So basically I was asked to add 2FA (TOTP) to a Ubuntu server environment. This can be done on desktop Linux distros as well with a slight difference. By skimming through this tutorial published on Ubuntu Tutorials, I came up with the solution.

Fire up the terminal, and type sudo apt update && sudo apt install libpam-google-authenticator. The former updates apt; The latter installs the required application google-authenticator as well as its pam module.

After installation is done, launch google-authenticator, this will configure 2FA for the current user. Pressing Y for all questions is the best for average users. You can scan the QR code image with your mobile app. Store the emergency recovey codes in safe places as well, they will come in handy when you lose access to the TOTP generator.

Next, change the specific pam module in order to authenticate using 2FA along with user password.(This isn’t 2FA if it is an either)

To configure this, you need to understand how pam syntax works. There are a lot of articles online, but I think this one by Redhat explains things clearly. For Ubuntu Server, we want to change login, sudo, sshd; For desktop environments, sshd can be ignored; focus on your DM, like lightdm config instead. The procedures are fundamentally the same.

Type the following into terminal and hit enter: sudo nano /etc/pam.d/sudo, this opens the sudo setting for pam. Depending on your distro, things may look different here, refer to your distro’s documentation for detailed instructions.

Look for the line @include common-auth. This line instructs the system authenticate the user with passwords. Insert the following below this line: auth required pam_google_authenticator.so.

This will instruct the pam module authenticate with TOTP after you verified yourself with passwords. Ctrl + X, save the file.

To verify whether it is setup correctly, open a NEW terminal window, and type the following command sudo echo test

As you can see in the image above, after verifying password, the system requires a TOTP from user before executing the command. This indicates successful implementation of 2FA in sudo. Now you can do the rest for other pam.d modules.