Google authenticator – Securing your Google accounts and your favorite Linux
May 26, 2012 2 Comments
Google authenticator is a Google project implementing TFA (Two Factor Authentication). TFA is a way (as the name suggests) to authenticate with two factors. When you authenticate to GMail with only a username and password, that’s called a one factor authentication (the password). If your password has been compromised, anyone who knows your password can gain access to your GMail account, accessing all your private data there.
Enters Google authenticator. Google authenticator presents a new way to login to your Google account, protecting all your precious data. When you type in your username and password, a second prompt appears, requesting you for your OTP (one time password) – the second authentication factor.
OTP is a password with limited validity. OTPs can be divided to two categories:
- Time based – valid for a certain time. On Google’s implementation, 30 seconds
- Mathematical algorithm based – which you can read about here
It means that this software generated (via the iOS, Android, or Blackberry) password is only valid for 30 seconds. In order to login to your GMail account, you need to know the password and the OTP. When enabling TFA on your Google account you are required to install an application on your mobile phone and scan a QR code with it. Then, when you want to login to your account, after the username/password step you launch this application and get the OTP.
One can ask Google to remember this computer for 30 days, meaning that for the next 30 days, you won’t be needed to supply the OTP code for logging in to your GMail account from that same computer.
Related links:
- Google accounts TFA on Google official blog
- TFA in general and the various available factors (such password & OTP on this example) on Wikipedia
This post is not about Google account TFA, as great it may be. What I love about Google is their contribution to the Open Source community. The entire Google Authenticator code is released on Apache license. This includes the application for iOS, Android, Blackberry and for desert, there’s even a PAM module available for us to use on our favorite Linux distribution.
The potential of this PAM module is huge. I’ll be playing with it on my home Debian server.
I’m old school. I use “su -” instead of “sudo”. The “wget”, “tar” and “make” commands can be done as a regular user as well.
- Download the PAM module source code
# wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
- Extract it
# tar xvfj libpam-google-authenticator-1.0-source.tar.bz2
- Enter the directory, compile it and install it
# cd libpam-google-authenticator-1.0 # make # make install
For compiling software on Debian you need several GNU tools, such as make, gcc, libc-dev etc.
Debian has them packed for you in the “build-essential” package. Simply install it by issuing “apt-get install build-essential” if this step fails - Configure your default PAM authentication to support the new module.
We’ll also be configuring it as non-mandatory, meaning that users that don’t have it set-up will still be able to login to the system. Edit /etc/pam.d/common-auth with your favorite text editor, find the following line:auth [success=1 default=ignore] pam_unix.so nullok_secure
and replace it with:
auth required pam_google_authenticator.so nullok forward_pass auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
- Login to your user, run “google-authenticator” from shell and follow the instructions
- After you’re done setting it up, simply login to your machine, but instead using your regular password, use “<password><otp>“. For example, if my password is “sIkp18jt” and the OTP is 618089, I’ll login with “sIkp18jt618089”
For those of you who may ask why do you need this if you can use public key authentication with SSH. The reason is, you can use this with any software that supports PAM authentication (such as Apache webserver, or a FreeRADIUS server). A second reason might be that you’re logging in to your server from public computers. Having a disk-on-key with the private key inserted in a public computer is not a wise thing to do. The third reason is – it’s cool!
P.S.: The implementation is presented nicely on Wikipedia. If it interests you how it’s being done, take a look here.
Hope you’ve learned something new from this post,
Omri.
Omri Bahumi 
Nice!
I was not aware that they had PAM modules for the authenticator, Very cool implementation. 🙂
Still, i have issues with using the Google Authenticator.
I’ve used plenty of SW and HW authenticators before, both in work places and online gaming (WoW & SWTOR for example) and when something goes wrong such as HW authenticator dies or you wipe\lose your phone with the SW authenticator on it you have someone you can call for support.
Does 1-800-GOO-GLE work yet? 😛
Well, if you’re using it for Google accounts you have two ways to recover:
1. When activating you’re requested to input a rescue phone number. If you lost your phone they can send you an SMS or issue a voice call with the code.
2. You get about 10 codes that each of them can be used once (they’re long enough, so it doesn’t miss the point of securing your account). You can print them or write them down somewhere in case of emergency.