TL;DR
Log in with user’s password and verification code obtained from Google Authenticator mobile app.
Intro
I really like a two-step authentication
(or two-factor) idea. I use everywhere I can (Google accounts,
Bitstamp, Facebook…); so I get this idea: logging in as root would require correct
user’s password and some verification code obtained from my phone. I found very
easy-to-use solution: Google Authenticator.
It’s an open-source project (Apache License 2.0) so if you’re paranoid go and
check if it doesn’t contain some backdoor ;) The Authenticator app provides a random
one-time password(verification code)
users must provide in addition to their password.
I access my server via password-less ssh login (ssh alterego@my.server) and then
I log in as root (su -). I set up Google Authenticator to ask for
verification code after inserting correct root’s password. Let’s do that right now.
Installation and usage
Install PAM library and tools: libpam-google-authenticator.
Log in as root and run google-authenticator. It generates a key and emergency
codes (useful if you lost your phone). In your phone enter generated secret key
(type of the key is ‘time based’).
Then paste to the last line in /etc/pam.d/su:
auth required pam_google_authenticator.so
Now everything’s should be set up.
- You’re logged in as a regular user
- Fire
su - - Enter your password
- Enter verification code from your phone
- ???
- Profit.