I wanted to add 2 Factor Authentication (2FA) to my local Ubuntu virtual machine using Google Authenticator. None of the writeups I found online covered all of my use cases, so I pieced together a solution that did. This is how I set it up…

sudo apt install libpam-google-authenticator
google-authenticator

Upon running the google-authenticator command, you will be shown a URL, a QR code, a secret key, and a prompt for you to enter the 6-digit code from your authenticator app.

Google Authenticator Setup

Take note of (aka: WRITE IT DOWN and stash it somewhere secure) the secret key, verification code, and emergency scratch codes because if you lose your authenticator app, you’ll be locked out unless you have these to get back in/re-do your 2FA setup.

Google Authenticator Setup Continued

Once you’ve answered the prompts you’ll have a .google-authenticator file in your home directory.

Google Authenticator dotfile

This file contains your secret key/emergency scratch codes as well as settings/values for the prompts we just answered.

Okay, now that we’ve done that, we need to tell Linux to actually use this form of authentication.

sudo nano common-auth

For common-auth, we need to add auth required pam_google_authenticator.so forward_pass nullok somewhere (immediately?) above the pam_unix.so module. This will ensure that we get prompted for our password+2FA first. This will take care of local console login as well as sudo.

/etc/pam.d/common-auth 
sudo nano xrdp-sesman

For xrdp-sesman, we need to add the same line auth required pam_google_authenticator.so forward_pass nullok and comment out the “common-auth” line.

/etc/pam.d/xrdp-sesman

Give yourself a reboot and you’ll be in business.

2FA login via local console
2FA login via xrdp