After toying with the idea for some time, I decided I'd try setting up 2FA on my laptop. As usual, the arch wiki had a nicely written article on setting up 2FA with the PAM module for Google Authenticator.
I followed the instructions for setting up 2FA for ssh and that worked seamlessly so I decided I'd then go the whole hog and enable the module in
/etc/pam.d/system-auth which would mean I'd need it any time I had to login at all.
Adding the line:
auth sufficient pam_google_authenticator.so
had the expected effect that I could login with just the verification code but that seems to defeat the point a little so I bit my lip and changed
required which would mean I'd need my password and the code on login.
I switched to another VT and went for it. It worked!
So then I rebooted.
And I couldn't log in.
After a couple of minutes to download an ISO to boot from using another machine, putting it on a USB stick, booting from it, and editing my
system-auth file, I realised why:
auth required pam_google_authenticator.so auth required pam_unix.so try_first_pass nullok auth required pam_ecryptfs.so unwrap
My home partition is encrypted and so the Google authenticator module obviously couldn't load my secret file until I'd already logged in.
I tried moving the
pam_google_authenticator.so line to the bottom of the
auth group but that didn't work either.
How could this possibly go wrong...
So, the solution I came up with was to put the 2fa module into the session group. My understanding is that this will mean PAM will ask me to supply a verification code once per session which is fine by me; I don't want to have to put a code in every time I
My question is, will my minor abuse of PAM bite me in the arse at any point? It seems to do what I expected, even if I log in through GDM.
Here's my current
#%PAM-1.0 auth required pam_unix.so try_first_pass nullok auth required pam_ecryptfs.so unwrap auth optional pam_permit.so auth required pam_env.so account required pam_unix.so account optional pam_permit.so account required pam_time.so password optional pam_ecryptfs.so password required pam_unix.so try_first_pass nullok sha512 shadow password optional pam_permit.so session required pam_limits.so session required pam_unix.so session optional pam_ecryptfs.so unwrap session optional pam_permit.so session required pam_google_authenticator.so