--- layout: post title: "`$ su -' with Two-Step Authentication" date: 2014-05-29 11:06 comments: true categories: [server, shell, paranoid, linux] cover: /images/cover/avatar.png keywords: Google Authenticator, two factor, two step, ssh, security description: More secure login via two-step authentication --- ##### TL;DR Log in with user's password and verification code obtained from [Google Authenticator](https://code.google.com/p/google-authenticator/) mobile app. # Intro I really like a [two-step authentication](http://en.wikipedia.org/wiki/Multi-factor_authentication) (or two-factor) idea. I use everywhere I can (Google accounts, Bitstamp, Facebook...); so I get this idea: logging in as root would require correct user's password and some verification code obtained from my phone. I found very easy-to-use solution: Google Authenticator.<br> It's an open-source project (Apache License 2.0) so if you're paranoid go and check if it doesn't contain some backdoor ;) The Authenticator app provides a random [one-time password](http://en.wikipedia.org/wiki/One-time_password)(verification code) users must provide in addition to their password. I access my server via password-less ssh login (```ssh alterego@my.server```) and then I log in as root (```su -```). I set up Google Authenticator to ask for verification code after inserting correct root's password. Let's do that right now. # Installation and usage Install PAM library and tools: ```libpam-google-authenticator```. Log in as root and run ```google-authenticator```. It generates a key and emergency codes (useful if you lost your phone). In your phone enter generated secret key (type of the key is 'time based'). Then paste to the last line in ```/etc/pam.d/su```: auth required pam_google_authenticator.so Now everything's should be set up. 0. You're logged in as a regular user 1. Fire ```su -``` 2. Enter your password 3. Enter verification code from your phone 4. ??? 5. Profit.