By design, Linux is about as secure an operating system as you’ll find. However, that level of security doesn’t mean there aren’t steps you can take to make it more secure.
One thing you can do is enable two-factor authentication (2FA) for desktop logins. With this feature added to the process, you tap a six-digit code you retrieve from an authenticator app on your phone to log in to services and your user password.
Also: The best VPN services (and how to choose the right one for you)
Believe it or not, 2FA is pretty easy to set up. I would suggest, however, that you try this approach on a test machine. You do not want to get locked out of your main desktop, because, should that happen, it can be a nightmare to resolve.
With that said, let me show you how to set up 2FA.
Installing the software for 2FA
What you’ll need: To make this approach work, you’ll need a running instance of Linux. I’ll demonstrate with Zorin OS, which is a Ubuntu-based distribution. With a Fedora or Arch-based distro, alter the installation command (swapping out apt for dnf or pacman). You’ll also need an authenticator app (such as Authy or Google Authenticator) installed on your mobile phone.
Also: Bluestar Linux is a gorgeous MacOS-like take on KDE Plasma that’s easy to use
With that said, let’s install some software.
The first thing to do is log in to your Linux distribution and open the terminal window.
Show more
Within the terminal app, install the necessary software with the command:
Show more
sudo apt-get install libpam-google-authenticator -y
Open the necessary configuration file with the command:
Show more
sudo nano /etc/pam.d/common-auth
At the bottom of the file, add the following:
auth required pam_google_authenticator.so
Save and close the file.
Also: 5 lightweight Linux distributions that will bring your old PC back to life
Now, before you log out and test the software, I recommend you secure shell into the machine and leave the connection open until you are certain it works. If the system doesn’t work, you’re still logged in and can troubleshoot. Fortunately, the above setup worked flawlessly for me.
From the terminal, issue the command:
Show more
google-authenticator
A QR code will appear in the terminal. Open the authenticator app on your mobile device and add a new account by scanning the QR code (how you do this will depend on the app you use). Once the scan is complete, you’ll be asked to type the six-digit code from the app in the Linux terminal window.
Also: 10 Linux apps I can’t do without – and why
You’ll be presented with a few emergency “scratch” codes. Make sure to save those codes (to be used if you lose your phone).
You’ll be asked the following questions:
- Do you want me to update your “/home/jack/.google_authenticator” file? (y/n) y
- Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks? (y/n) y
- By default, a new token is generated every 30 seconds by the mobile app. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. This allows for a time skew of up to 30 seconds between authentication server and client. If you experience problems with poor time synchronization, you can increase the window from its default size of 3 permitted codes (one previous code, the current code, the next code) to 17 permitted codes (the 8 previous codes, the current code, and the 8 next codes). This will permit for a time skew of up to 4 minutes between client and server. Do you want to do so? (y/n) y
- If the computer that you are logging in to isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting? (y/n)
Make sure to answer “y” to all the questions.
With these steps taken care of, you can now reboot the system. When you log in, you’ll be asked for your user password and the six-digit code from the authenticator app on your mobile phone.
One thing to keep in mind is that this process only works for desktop login. Enabling 2FA for SSH login is a different process, which I’ll walk you through in a separate how-to.
Also: How to choose the right Linux desktop distribution for you
Congratulations, your Linux desktop is now slightly more secure.
Open Source
<!–>
–>
