Sunday, October 4, 2015

Adding Two factor Auth to Fedora 22

This works with other distro's with a little tweaking. If you are interested in two factor authentication on your Linux login here are the steps. I am going to assume you are using full disk encryption with your Fedora installation. If not... then you really should.

1. Open Terminal with root privileges.
2. yum install google-authenticator

Once installed you will need to configure google authenticator. Run the following command in terminal. This can be run without root privileges. 

google-authenticator

You will be prompted to scan the QR code or you can enter in the secret key into the google authenticator app on your mobile phone. Once you are finished configuring your google app. Make sure you save and encrypt your emergency scratch codes should you ever lose your mobile phone. 

When presented with installation questions. Just choose Y for them unless you have a reason to deviate from the defaults. 

Once you are finished you will need to edit the following. I edited mine with vi. 

/etc/pam.d/gdm-password


Add the following line to gdm-password:

auth required pam_google_authenticator.so


if you are editing the file with vi. After you are finished. Hit the ESC button following by this

:x

This will save your config. Once done reboot your fedora install. With luck you will type in your password to your linux account and then asked for a verification code as shown below. 




Update1:
Good point from a fellow twitter follower. Two factor auth is not present if you do a ctrl + alt + F3 and log in under terminal if you account is compromised. Will put a fix for that up later. Enjoy!

Update2:
Lets say you want to add this for secure shell host. Easy enough to do. I disable SSH on my fedora box since I am using it for desktop functions and not server class functions

Edit in VI:
/etc/pam.d/sshd

Add the following line. 
auth required pam_google_authenticator.so

Edit in VI:
/etc/ssh/sshd_config 

Add the following line.
ChallengeResponseAuthentication yes

Restart the box. 










No comments:

Post a Comment