sudo vim /etc/pam.d/gdmpassword

19    @include common-password
20    auth required pam_google_authenticator.so nullok

Source: google-authenticator-libpam
Allow users to log in without OTP, if they haven’t set up OTP yet.


1/3 2FA with Google Authenticator

add your SSH keys to the host

creating ed25519 SSH keys

configure sshd

sudo vim /etc/pam.d/sshd

2     auth required pam_google_authenticator.so
5     # @include common-auth

sudo vim /etc/ssh/sshd_config

37    PubkeyAuthentication yes
56    PasswordAuthentication no
61    ChallengeResponseAuthentication yes
84    UsePAM yes
123    Match User USERNAME
124        AuthenticationMethods publickey,keyboard-interactive


restart sshd service

sudo systemctl restart sshd.service


SSH key creation

$ ssh-keygen -t ed25519

Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/USERNAME/.ssh/id_ed25519):

enter a passphrase

Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/USERNAME/.ssh/id_ed25519_test.
Your public key has been saved in /home/USERNAME/.ssh/id_ed25519_test.pub.
The key fingerprint is:
The key's randomart image is:
+--[ED25519 256]--+

copy SSH key to remotehost

ssh-copy-id username@remotehost

or manually copy .ssh/id.ed25519.pub into .ssh/authorized_key on your remotehost


Install libpam-google-authenticator

sudo apt-get install libpam-google-authenticator

Configure google-authenticator for your User

USERNAME@HOSTNAME:~$ google-authenticator

Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:

Your new secret key is: YOUR-SECRET-KEY
Your verification code is VERIFICATION-CODE
Your emergency scratch codes are:

Do you want me to update your "/home/USERNAME/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

Scan the QR-Tag with your preferred Authenticator-App


!! Create a snapshot or a full-backup before you start !!

!! any mistake will destroy your system !!

1. Resize the virtual HD to new size

2. Start fdisk

# fdisk /dev/sda

Welcome to fdisk (util-linux 2.27.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

3. Show Partitions

Command (m for help): p
Disk /dev/sda: 40 GiB, 42949672960 bytes, 83886080 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xa8cb592

Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 999423 997376 487M 83 Linux
/dev/sda2 999424 41940991 40941568 19.5G 8e Linux LVM

Remember the partition start: 999424

4. Delete the old partition

Command (m for help): d
Partition number (1,2, default 2): 2

Partition 2 has been deleted.

5. Recreate partition

The new partition must start at the same sector where the old started. In this case at 999424

Command (m for help): n
Partition type
p primary (1 primary, 0 extended, 3 free)
e extended (container for logical partitions)
Select (default p): p
Partition number (2-4, default 2): 2
First sector (999424-83886079, default 999424):
Last sector, +sectors or +size{K,M,G,T,P} (999424-83886079, default 83886079):

Created a new partition 2 of type 'Linux' and of size 39.5 GiB.

6. Set Partition type

Command (m for help): t
Partition number (1,2, default 2):
Partition type (type L to list all types): 8e

Changed type of partition 'Linux' to 'Linux LVM'.

7. Check created Partition

Command (m for help): p
Disk /dev/sda: 40 GiB, 42949672960 bytes, 83886080 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xa8cb592e

Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 999423 997376 487M 83 Linux
/dev/sda2 999424 83886079 82886656 39.5G 8e Linux LVM

8. Write new partition to disk

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Re-reading the partition table failed.: Device or resource busy

The kernel still uses the old table. The new table will be used at the next reboot or after you run partprobe(8) or kpartx(8).

9. Inform the OS of partition table changes

# partprobe

10. Resize the physical volume

# pvresize /dev/sda2
Physical volume "/dev/sda2" changed
1 physical volume(s) resized / 0 physical volume(s) not resized

11. Check LVM Volume group

# vgdisplay
--- Volume group ---
VG Name sysvg
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 10
VG Access read/write
VG Status resizable
Cur LV 5
Open LV 5
Max PV 0
Cur PV 1
Act PV 1
VG Size 39.52 GiB
PE Size 4.00 MiB
Total PE 10117
Alloc PE / Size 4755 / 18.57 GiB
Free PE / Size 5362 / 20.95 GiB
VG UUID 6LlZ7P-M6by-7ISL-C9CP-iNFH-fo16-gBsclg