Today I decided to improve the login security for my OS X install with the use of 2-factor authentication with the Google Authenticator PAM. Turns out there's not much information on this, and what is there neglects some interesting steps, so I'll write up my own experience here in the hope that it'll help someone.
First, download the code from
Extract it and in the directory run
make && sudo make install. This will compile the PAM library and the command line tool for creating your secret. It will also put the command line tool in the correct place of
/usr/local/binand the PAM library in the wrong place of
So, now we put the library in the correct place with
mv /usr/lib/pam_google_authenticator.so /usr/lib/pam/pam_google_authenticator.so
The library is now installed, so now it's onto config. At this point, it's possible to lock yourself out, so it would be really smart to make sure you have SSH turned on for your mac and have another machine to SSH in from handy... just in case (n.b. I didn't do this. I then had to figure out how to unmangle my PAM file to login again... you don't want to have to do this).
If you want, you can also install the qrencode library, which will allow a QR code to be generated in the next step. With homebrew, this is
brew install qrencode
First part of the config is generating your authenticator secret. Run the command line tool google-authenticator. This will generate a secret and a set of backup tokens. It will also ask you a few questions, answer as appropriate.
Now you get to decide what services will use 2-factor authentication. I went for SSH, sudo, login and unlock, which involved the PAM files
sshd(all in the
/etc/pam.ddirectory). The configs for these are as follows:
In each of the files, the important modifications are around the line
auth required pam_google_authenticator.so
This line, and the options following it, insert the google authenticator PAM into your authentication chain. With SSH and sudo, this is done with a 'challenge-response' prompt, where it will ask you for a verification key. However, the OSX login lacks this ability to insert another prompt, so for logging in or unlocking the screen, we use the
forward_passoption, which expects the password and TOTP to be provided together as
<password><totp>. This may cause your keychain login to complain about an incorrect password - do not change the password unless you want to write down the token when you logged in so you can remember the password next time. Instead, when you have finished logging in, the keychain will prompt for your password again. Type it in normally and you're all set.
If you wanted, you could also try the following for sudo:
# sudo: auth account password session
auth sufficient pam_google_authenticator.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
This will alter your sudo authentication so that you will be prompted for a TOTP first. If this is correct then sudo authentication succeeds. If it fails, it will fall back to the traditional asking for a password.