Protecting Linux Login with 2FA

This is definitely not the first time I’ve tried getting this working, but glad I was finally able to. Looks like if I had read a bit more, I never would have run into issues…

By the second or third time I ran into problems, I at least figured out why: with my home directory being encrypted, the “secret” 2FA files could not be accessed & verified.

Now for the fun part… It looks like Google had the instructions for encrypted home directories in the README the whole time.

Encrypted home directories
If your system encrypts home directories until after your users entered their password, you either have to re-arrange the entries in the PAM configuration file to decrypt the home directory prior to asking for the OTP code, or you have to store the secret file in a non-standard location:

auth required pam_google_authenticator.so secret=/var/unencrypted-home/${USER}/.google_authenticator

would be a possible choice. Make sure to set appropriate permissions. You also have to tell your users to manually move their .google_authenticator file to this location.

In addition to “${USER}”, the secret= option also recognizes both “~” and ${HOME} as short-hands for the user’s home directory.

When using the secret= option, you might want to also set the user= option. The latter forces the PAM module to switch to a dedicated hard-coded user id prior to doing any file operations. When using the user= option, you must not include “~” or “${HOME}” in the filename.

The user= option can also be useful if you want to authenticate users who do not have traditional UNIX accounts on your system.

So, after getting through that tedious “reading” thing, I followed their suggestion, & created the “unencrypted-home” directory, moved the ~/.google_authenticator file there, edited /etc/pam.d/common-auth & included the path to the file at the encrypted location. After that… Working as expected!

user@Hostname:~$ cat /etc/pam.d/common-auth | tail -n 1
auth required pam_google_authenticator.so secret=/var/unencrypted-home/${USER}/.google_authenticator

Linux on Samsung Galaxy TabPro S

I have picked ap a Galaxy TabPro S a year or two ago, but didn’t end up using it much since it was running Windows. I had always planned to try out Linux on it, but never got around to it until now. I installed Xubuntu, just to have a light OS, & the only issue is related to getting wireless working. It is however a quick fix:

GitHub: infernix/samsung_tabpro_s

Just need to clear the contents of /lib/firmware/ath10k/QCA6174/hw3.0/*, & then place the two files from the GitHub repo. After a reboot, wireless was working with no additional changes needed.

Xubuntu booting on my Samsung Galaxy TabPro S