HxHippy

Two-Factor Authentication

Implementing TOTP and other 2FA methods for Linux systems.

Last updated: 2025-01-15

Two-Factor Authentication

Add an extra layer of security with TOTP-based 2FA.

Google Authenticator PAM

Installation

# Debian/Ubuntu
sudo apt install libpam-google-authenticator

# RHEL/CentOS
sudo dnf install google-authenticator

# Arch
sudo pacman -S libpam-google-authenticator

User Setup

# Run as the user who needs 2FA
google-authenticator

# Answer the prompts:
# - Time-based tokens? y
# - Update ~/.google_authenticator? y
# - Disallow multiple uses? y
# - Increase time window? n
# - Enable rate-limiting? y

# Scan the QR code with your authenticator app

PAM Configuration

# /etc/pam.d/sshd - Add near the top
auth required pam_google_authenticator.so nullok

# Options:
# nullok       = Allow users without 2FA configured
# no_increment = Don't increment counter on fail
# echo=no      = Don't echo verification code

SSH Configuration

# /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
UsePAM yes

# Restart SSH
sudo systemctl restart sshd

Key + 2FA Authentication

# /etc/ssh/sshd_config
# Require both SSH key AND 2FA code
AuthenticationMethods publickey,keyboard-interactive:pam

# /etc/pam.d/sshd
# Comment out @include common-auth
# Add:
auth required pam_google_authenticator.so

YubiKey / Hardware Tokens

PAM U2F Setup

# Install
sudo apt install libpam-u2f

# Register key (as user)
mkdir -p ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys

# Add to PAM
auth required pam_u2f.so

Backup Codes

# During google-authenticator setup, save the emergency codes
# Store them securely offline!

# To regenerate:
google-authenticator --force

# Backup codes location
~/.google_authenticator

2FA Methods Comparison

Method Security Convenience Offline
TOTP App Good High Yes
Hardware Key Excellent Medium Yes
SMS Poor High No
Push Notification Good High No

Recommendation: TOTP app + SSH keys for servers.

intermediate Authentication Updated 2025-01-15
  • 2fa
  • totp
  • google authenticator
  • mfa
  • security