Add One-Time Password to Linux Login

PAM

Linux uses PAM for user authentication, so look at /etc/pam.d/common-auth, and you'll see the default unix password authentication library pam_unix.so.

To chain authentication libraries, set the last library to sufficient and all others to required.

Before we change the configuration, be sure to keep an active session, b/c you won't be able to login if you make some mistake.

Google Authenticatior PAM Library

On debian, install it with

sudo apt-get install libpam-google-authenticator -y

And add this:

auth sufficient pam_google_authenticator.so

in /etc/pam.d/common-auth after pam_unix.so, and change the necessity of pam_unix.so to required.

The config will look like this:

# /etc/pam.d/common-auth
auth required pam_unix.so nullok_secure
auth sufficient pam_google_authenticator.so
...

Finally, run google-authenticator to generate a TOTP token url, and you can use any authenticator app or program for it(I recommend pass-otp).

Try to login again(you can do a login with ssh username@localhost), it should ask for an OTP after the password.

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *