Cinan's world

GNU/Linux & free software, howtos, web development, scripts and other geek stuff

`$ su -' With Two-Step Authentication


Log in with user’s password and verification code obtained from Google Authenticator mobile app.


I really like a two-step authentication (or two-factor) idea. I use everywhere I can (Google accounts, Bitstamp, Facebook…); so I get this idea: logging in as root would require correct user’s password and some verification code obtained from my phone. I found very easy-to-use solution: Google Authenticator.
It’s an open-source project (Apache License 2.0) so if you’re paranoid go and check if it doesn’t contain some backdoor ;) The Authenticator app provides a random one-time password(verification code) users must provide in addition to their password.

I access my server via password-less ssh login (ssh alterego@my.server) and then I log in as root (su -). I set up Google Authenticator to ask for verification code after inserting correct root’s password. Let’s do that right now.

Installation and usage

Install PAM library and tools: libpam-google-authenticator. Log in as root and run google-authenticator. It generates a key and emergency codes (useful if you lost your phone). In your phone enter generated secret key (type of the key is ‘time based’).

Then paste to the last line in /etc/pam.d/su:

auth required

Now everything’s should be set up.

  1. You’re logged in as a regular user
  2. Fire su -
  3. Enter your password
  4. Enter verification code from your phone
  5. ???
  6. Profit.