Twofer

[Permalink]     blog

After toying with the idea for some time, I decided I'd try setting up 2FA on my laptop. As usual, the arch wiki had a nicely written article on setting up 2FA with the PAM module for Google Authenticator.

I followed the instructions for setting up 2FA for ssh and that worked seamlessly so I decided I'd then go the whole hog and enable the module in /etc/pam.d/system-auth which would mean I'd need it any time I had to login at all.

Adding the line:

auth  sufficient  pam_google_authenticator.so

had the expected effect that I could login with just the verification code but that seems to defeat the point a little so I bit my lip and changed sufficient to required which would mean I'd need my password and the code on login.

I switched to another VT and went for it. It worked!

So then I rebooted.

And I couldn't log in.

After a couple of minutes to download an ISO to boot from using another machine, putting it on a USB stick, booting from it, and editing my system-auth file, I realised why:

auth      required    pam_google_authenticator.so
auth      required    pam_unix.so     try_first_pass nullok
auth      required    pam_ecryptfs.so unwrap

My home partition is encrypted and so the Google authenticator module obviously couldn't load my secret file until I'd already logged in.

D'oh

I tried moving the pam_google_authenticator.so line to the bottom of the auth group but that didn't work either.

How could this possibly go wrong...

So, the solution I came up with was to put the 2fa module into the session group. My understanding is that this will mean PAM will ask me to supply a verification code once per session which is fine by me; I don't want to have to put a code in every time I sudo anyway.

My question is, will my minor abuse of PAM bite me in the arse at any point? It seems to do what I expected, even if I log in through GDM.

Here's my current system-auth file:

#%PAM-1.0

auth      required  pam_unix.so     try_first_pass nullok
auth      required  pam_ecryptfs.so unwrap
auth      optional  pam_permit.so
auth      required  pam_env.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  optional  pam_ecryptfs.so
password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_ecryptfs.so unwrap
session   optional  pam_permit.so
session   required  pam_google_authenticator.so
  Spramer   active code other web   Pretty please   blog   Andy and Teddy are waving goodbye   blog code go programming   Building a componentised application   blog docker microservices python   Podgot   audio blog podcasts   Corporalism?   blog   Why-fi?   blog   It turns   blog   My nicks   about   Cleaning out my closet   blog   Devicive   blog   Why am I called Stilvoid?   about   Geek Code   about   Thoth   words   Pinally   blog pi   Keychain and GnuPG >= 2.1   blog   TODO   blog   Testing a Django app with Docker   blog django docker proxama   Just call me Anneka   blog code   Stony Silence   blog   When all the things went wrong   blog   Things   blog   Lessons learned   blog holiday   O Baggage Where Art Thou   blog holiday   All fired up   blog   Quayside   blog   tmux   blog linux   Simple mail transfer pondering   blog linux   Ramble   blog   Eligarf   blog   Laziness   blog   Netcat   blog linux   Judon't   blog   Things   blog   btw   blog c code   Stuff what I done   blog   Diet?   blog   TODO   blog   Shootah   code games games inactive   Tatil   blog holiday   Things we learned at the LUG meet   blog linux   MarkPoint   code command line desktop inactive other   Luck   blog   Yawn   blog   HBTM :)   blog code git   TODO   blog   Krobes   code games games inactive   Homophones   words   Non-euclidian pork scratching   blog   Lost at C   blog c code   JSTLV   code inactive other web   Ire   blog code   Ire   code command line inactive other   So, so dry   blog code   Gruff   code inactive other web   Things I've written recently   blog code   require("child_process");   blog   JZON   code inactive other web   Wyrm   code games games inactive   Picture Puzzle   code games games inactive   Zoomsite   code inactive other web   Rotate4   code games games inactive   Lines   code games games inactive   BreakIn   code games games inactive   nosef   code inactive javascript server server   Scary stuff   blog   Primes   blog   Hokey Cokey   blog   Web terminal lense book   blog   Strange lunch break   blog   Obfuna   code inactive other programming   Markdown   blog   ploxy   code command line inactive server server   miniserv   code command line inactive server server   Gnowt   code inactive other web   dmenu-notify   code desktop inactive other   Violining a contemptible fellow   blog code git   Break In!   blog games   xmodmap Hints and Tips   blog linux   Black Jack - pick up seven!   blog games   My favourite spoonerisms   words   Good things that have happened in the past week   blog   Good times with git   blog git   It's all Geek to me   blog   Javascript Closures   blog code javascript   Waffle. Move along.   blog   Things I learned today   blog   Hey, at least I'm not rioting   blog   HTML5 and holidays   blog holiday   Blah, cold. Do not want.   blog   Worst.Landlord.Ever   blog   Wheeee   blog   First!!1!one!!eleven   blog