Steve Engledow: Senior Solutions Builder at Amazon Web Services

Latest post: git-get — Latest project: git-cube

17 September 2015



After toying with the idea for some time, I decided I’d try setting up 2FA on my laptop. As usual, the arch wiki had a nicely written article on setting up 2FA with the PAM module for Google Authenticator.

I followed the instructions for setting up 2FA for ssh and that worked seamlessly so I decided I’d then go the whole hog and enable the module in /etc/pam.d/system-auth which would mean I’d need it any time I had to login at all.

Adding the line:

auth  sufficient  pam_google_authenticator.so

had the expected effect that I could login with just the verification code but that seems to defeat the point a little so I bit my lip and changed sufficient to required which would mean I’d need my password and the code on login.

I switched to another VT and went for it. It worked!

So then I rebooted.

And I couldn’t log in.

After a couple of minutes to download an ISO to boot from using another machine, putting it on a USB stick, booting from it, and editing my system-auth file, I realised why:

auth      required    pam_google_authenticator.so
auth      required    pam_unix.so     try_first_pass nullok
auth      required    pam_ecryptfs.so unwrap

My home partition is encrypted and so the Google authenticator module obviously couldn’t load my secret file until I’d already logged in.


I tried moving the pam_google_authenticator.so line to the bottom of the auth group but that didn’t work either.

How could this possibly go wrong…

So, the solution I came up with was to put the 2fa module into the session group. My understanding is that this will mean PAM will ask me to supply a verification code once per session which is fine by me; I don’t want to have to put a code in every time I sudo anyway.

My question is, will my minor abuse of PAM bite me in the arse at any point? It seems to do what I expected, even if I log in through GDM.

Here’s my current system-auth file:


auth      required  pam_unix.so     try_first_pass nullok
auth      required  pam_ecryptfs.so unwrap
auth      optional  pam_permit.so
auth      required  pam_env.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  optional  pam_ecryptfs.so
password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_ecryptfs.so unwrap
session   optional  pam_permit.so
session   required  pam_google_authenticator.so