Home / ubuntu / Questions / 1208888
Accepted
florian
Asked: 2020-02-08 13:34:29 +0800 CST

2FA with Ubuntu 18.04

  • 772

I'm using 2FA on Ubuntu 18.04.4 LTS with Google Authenticator. I added auth required pam_google_authenticator.so nullok to /etc/pam.d/common-session and correctly set up Google Authenticator.

The 2FA works great when getting back to a session after sleep mode. However when I shut my computer down and boot again, the 2FA doesn't prompt and I'm only asked to enter my master password. Do you have any idea why?

18.04 two-factor-authentication

1 Answers

  1. Best Answer

    Problem was related to the encryption of home directory. As stated in Google Authenticator libpam

    If your system encrypts home directories until after your users entered their password, you either have to re-arrange the entries in the PAM configuration file to decrypt the home directory prior to asking for the OTP code, or you have to store the secret file in a non-standard location

    . If you're the only user of your laptop, below are the steps to follow to boot Ubuntu 18.04 with 2FA:

    • create an unencrypted directory, let's call it ga:
    sudo mkdir -m 700 /home/ga
sudo chown yourname:yourgroup /home/ga
    • when you run and configure Google Authenticator (i.e., command google-authenticator in a terminal), it creates a configuration file at the root directory. Copy this file to your unencrypted directory:
    sudo cp ~/.google_authenticator /home/ga/.
    • finally add this line at the end of the file /etc/pam.d/gdm-password:
    auth required pam_google_authenticator.so secret=/home/ga/.google_authenticator

    Boot your computer and you should be good to go.

    Sources

    https://github.com/google/google-authenticator-libpam#encrypted-home-directories

    Google Authenticator for Desktop (lightdm or gdm plugin)

    https://wiki.archlinux.org/index.php/Google_Authenticator#Desktop_logins

    Possible to Create Unencrypted Folder Outside Ecryptfs Home?

    • 0