login と sudo を2要素認証にする


Google Authenticator を使ってlogin と sudo を2要素認証にする。


% sudo apt-get install libpam-google-authenticator


auth    [success=1 default=ignore] nullok_secure
auth required

initialize google-authenticator

% google-authenticator
Do you want me to update your "/home/USER/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n)
By default, tokens are good for 30 seconds, and to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n)
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n)

質問に回答後、 16ケタのsecret key, 6ケタのverification code, 5つの緊急コードが表示される。
secret key は Google Authenticator App の設定に必要。

set up Google Authenticator App

Google Authenticator Appを起動
+ をタップ
Manual entry をタップ
Key を入力

Reference - 2016-05-13 - How to Set Up 2-Factor Authentication for Login and sudo

iTunes - Google Authenticaticator

Google Play - Google Authenticator

Googleアカウントヘルプ - Google 認証システムのインストール