---
 layout: post
 title: "`$ su -' with Two-Step Authentication"
 date: 2014-05-29 11:06
 comments: true
 categories: [server, shell, paranoid, linux]
 cover: /images/cover/avatar.png
 keywords: Google Authenticator, two factor, two step, ssh, security
 description: More secure login via two-step authentication
 ---
 
 ##### TL;DR
 Log in with user's password and verification code obtained from 
 [Google Authenticator](https://code.google.com/p/google-authenticator/) mobile app.
 
 # Intro 
 I really like a [two-step authentication](http://en.wikipedia.org/wiki/Multi-factor_authentication)
 (or two-factor) idea. I use everywhere I can (Google accounts, 
 Bitstamp, Facebook...); so I get this idea: logging in as root would require correct
 user's password and some verification code obtained from my phone. I found very 
 easy-to-use solution: Google Authenticator.<br>
 It's an open-source project (Apache License 2.0) so if you're paranoid go and 
 check if it doesn't contain some backdoor ;) The Authenticator app provides a random 
 [one-time password](http://en.wikipedia.org/wiki/One-time_password)(verification code)
 users must provide in addition to their password.
 
 I access my server via password-less ssh login (```ssh alterego@my.server```) and then
 I log in as root (```su -```). I set up Google Authenticator to ask for 
 verification code after inserting correct root's password. Let's do that right now.
 
 # Installation and usage
 
 Install PAM library and tools: ```libpam-google-authenticator```.
 Log in as root and run ```google-authenticator```. It generates a key and emergency
 codes (useful if you lost your phone). In your phone enter generated secret key 
 (type of the key is 'time based').
 
 Then paste to the last line in ```/etc/pam.d/su```:
 
     auth required pam_google_authenticator.so
 
 Now everything's should be set up. 
 
 0. You're logged in as a regular user
 1. Fire ```su -```
 2. Enter your password
 3. Enter verification code from your phone
 4. ???
 5. Profit.