diff --git a/wiki/source/googleauth.md b/wiki/source/googleauth.md index 13caf0c..e835101 100644 --- a/wiki/source/googleauth.md +++ b/wiki/source/googleauth.md @@ -8,51 +8,55 @@ author: deepend To get started with google authenticator run the following command - 'google-authenticator' + `google-authenticator` -Allow the command to update your Google Authenticator. After running the command, you’ll be asked a couple of questions, the first one being: - - 'Do you want authentication tokens to be time-based (y/n)' You need to answer 'yes'(y) +Allow the command to update your Google Authenticator. After running the +command, you’ll be asked a couple of questions, the first one being: +This one you need to answer 'yes'(y). -You’ll then be presented with a secret key and multiple “scratch codes”. -We strongly suggest saving these emergency scratch codes in a safe place, -like a password manager. These codes are the only way to regain access if -you lose your phone or lose access to your TOTP app, and each one can -only be used once, so they really are in case of emergency. + `Do you want authentication tokens to be time-based (y/n)` + +You’ll then be presented with a secret key and multiple “scratch codes”. +We strongly suggest saving these emergency scratch codes in a safe place, +like a password manager. These codes are the only way to regain access if +you lose your phone or lose access to your TOTP app, and each one can +only be used once, so they really are in case of emergency. -You’ll then be prompted with several questions, The choices are all about balancing security with ease-of-use. -It begins with: +You’ll then be prompted with several questions, The choices are all +about balancing security with ease-of-use. It begins with: + + `Do you want me to update your "~/.google_authenticator" file (y/n)` - 'Do you want me to update your "~/.google_authenticator" file (y/n)' You will need to answer 'yes'(y) for google authenticator to work with your login. Next question we also suggest answering yes to prevent a replay attack: - 'Do you want to disallow multiple uses of the same authentication -token? This restricts you to one login about every 30s, but it -increases your chances to notice or even prevent -man-in-the-middle attacks (y/n)' + `Do you want to disallow multiple uses of the same authentication +token? This restricts you to one login about every 30s, but it +increases your chances to notice or even prevent +man-in-the-middle attacks (y/n)` -For security reasons we strongly suggest answering 'no'(n) to this next question: +For security reasons we strongly suggest answering 'no'(n) to this next question: - 'By default, tokens are good for 30 seconds and in order to -compensate for possible time-skew between the client and the server, -we allow an extra token before and after the current time. If you -experience problems with poor time synchronization, you can increase -the window from its default size of 1:30min to about 4min. -Do you want to do so (y/n)' + `By default, tokens are good for 30 seconds and in order to +compensate for possible time-skew between the client and the server, +we allow an extra token before and after the current time. If you +experience problems with poor time synchronization, you can increase +the window from its default size of 1:30min to about 4min. +Do you want to do so (y/n)` -On the next question we suggest answering 'yes'(y) since rate-limiting means that a remote attacker can only attempt -a certain number of guesses before being blocked. +On the next question we suggest answering 'yes'(y) since rate-limiting +means that a remote attacker can only attempt a certain number of guesses before being blocked. - 'If the computer that you are logging into isn't hardened against -brute-force login attempts, you can enable rate-limiting for the -authentication module. By default, this limits attackers to no more -than 3 login attempts every 30s. -Do you want to enable rate-limiting (y/n)' + `If the computer that you are logging into isn't hardened against +brute-force login attempts, you can enable rate-limiting for the +authentication module. By default, this limits attackers to no more +than 3 login attempts every 30s. -Now your configured. Your next login you can login without an SSH key. Make sure you know your account password -because login using google-authenticator will still require your password before letting you in. +`Do you want to enable rate-limiting (y/n)` + +Now your configured. Your next login you can login without an SSH key. Make sure you know your account password +because login using google-authenticator will still require your password before letting you in.