Why You Should Never Install The Google Authenticator PAM Apt Package on Ubuntu
There are three major reasons why I would completely avoid installing the PAM Google Authenticator Module from the Apt Ubuntu command which I detail here:
Reason #1: Google Authenticator PAM was last updated on July 2017 on the Ubuntu Repostiory (Reminder: It’s 2021)
You can check the package compilation date using the command
apt-cache policy libpam-google-authenticator command on Ubuntu:
apt-cache policy libpam-google-authenticatorlibpam-google-authenticator:
500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
Surprisingly the last update was on 02-JUL-2017 for the apt package while the Github project was last updated on Dec 23rd, 2020. That’s three whole years of lost updates!
Reason #2: Google Auth PAM Package Is Not Security Reviewed By The Ubuntu Team
The Google Authenticator PAM module package is being published on Ubuntu through the bionic/universe repository, which according to Ubuntu’s
/etc/apt/sources.list file has the following comment attached to it:
bionic/universe repository on Ubuntu is marked with a disclaimer above. Notice the line which says
Also, please note that software in universe WILL NOT receive any review or updates from the Ubuntu security team.
This means what it says, and says what it reads; there are no security reviews or updates from the Ubuntu Security team for any package served through the bionic/universe repository. Now if that doesn’t raise an eye brow for you, what does?
Reason #3: The Ubuntu Package Does Not Support the grace_period Feature
grace_period security configuration the Google Authenticator becomes hardly usable. Since this feature allows users a grace period of 24 hours by default to not have to re-authenticate on each usage. Without it, the module becomes very intimidating to use since you’ll have to re-authenticate using the app every time you login.
I hope enough reasons have been given to convince you to fully ditch the Apt Package version of this useful PAM Google Authenticator module and to go for the better alternative which is pulling the source code from GitHub to compile it from scratch.
I have detailed How to Compile Google Authenticator in my next part instead.