How-to enable Multi Factor Authentication for Linux using Google Authenticator (part 1)
post-template-default,single,single-post,postid-50915,single-format-standard,select-core-1.2.1,brick-child-child-theme-ver-1.0.0,brick-theme-ver-3.4,ajax_fade,page_not_loaded,smooth_scroll,side_menu_slide_from_right,vertical_menu_enabled,vertical_menu_left,vertical_menu_width_290,wpb-js-composer js-comp-ver-6.4.1,vc_responsive

How-to enable Multi Factor Authentication for Linux using Google Authenticator (part 1)

More than once a month, I get asked if there is a way to implement Multi Factor Authentication on cloud based Linux VM’s without having to buy tokens and implement proprietary services.

There are a couple of Open Source MFA solutions available and for the ease of installation and use I choose to use Google Authenticator.

This tutorial contains configuration instructions for both Debian and Redhat based Linux distributions and are written for the current versions.

What is Google Authenticator and how does it work?

Google Authenticator is an alternative to SMS for 2Step verification, installing an app on Android / IOS  where the codes will be sent. It supports both the HOTP and TOTP algorithms for generating one-time passwords.

With HOTP, the server and client share a secret value and a counter, which are used to compute a one time password independently on both sides. Whenever a password is generated and used, the counter is incremented on both sides, allowing the server and client to remain in sync.

TOTP essentially uses the same algorithm as HOTP with one major difference. The counter used in TOTP is replaced by the current time. The client and server remain in sync as long as the system times remain the same. This can be done by using the Network Time protocol.

The secret key (as well as the counter in the case of HOTP) has to be communicated to both the server and the client at some point in time. In the case of Google Authenticator, this is done in the form of a QRCode encoded URI. See: KeyUriFormat for more information.

How do I install Google Authenticator?

The installation contains of 5 steps:

STEP 1: Install the Client on a mobile device.

First the Google Authenticator app has to be installed on a mobile device:
Android: Get the latest version here, directly from Google Play.
IOS: Get the latest version here, directly from the App Store.
Windows: There is no GA app, but a compatible app can be obtained here, from the Microsoft App store

STEP 2: Install the service on your Linux machine.

Debian based:

You will install all dependencies like NTP automatically using the -y switch

sudo apt-get -y install libpam-google-authenticator


RHEL based:

First we need to install the development tools so we have a compiler, and the libraries we need. To do that we’ll use yum to install the “Development Tools” group

sudo yum -y groupinstall "Development Tools"

Now we need to install the pam development package

sudo yum -y install pam-devel

We setup and enable ntp so we can make sure our time is correct. Since we will be using a time based sync.

sudo yum -y install ntp
sudo systemctl start ntpd
sudo systemctl enable ntpd

Now we can download the google authenticator pam module from, we will download it to /opt.

cd /opt

Unzip, untar, compile the module, and install it.

bunzip2 libpam-google-authenticator-1.0-source.tar.bz2
tar -xvf libpam-google-authenticator-1.0-source.tar
rm -f libpam-google-authenticator-1.0-source.tar
cd libpam-google-authenticator-1.0

When the compilation is successfully completed, Google Authenticator can be installed. (note: this has to be done by a privileged user)

sudo make install

Now you have installed Google Authenticator

In the next part of this Tutorial, We will show you how to setup the Google Authenticator and how you can prevent having to use a different authenticator for every server you want to access.