Add One-Time Password to Linux Login


Linux uses PAM for user authentication, so look at /etc/pam.d/common-auth, and you'll see the default unix password authentication library

To chain authentication libraries, set the last library to sufficient and all others to required.

Before we change the configuration, be sure to keep an active session, b/c you won't be able to login if you make some mistake.

Google Authenticatior PAM Library

On debian, install it with

sudo apt-get install libpam-google-authenticator -y

And add this:

auth sufficient

in /etc/pam.d/common-auth after, and change the necessity of to required.

The config will look like this:

# /etc/pam.d/common-auth
auth required nullok_secure
auth sufficient

Finally, run google-authenticator to generate a TOTP token url, and you can use any authenticator app or program for it(I recommend pass-otp).

Try to login again(you can do a login with ssh username@localhost), it should ask for an OTP after the password.


發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *