# Install google-authenticator-libpam with Homebrew, zypper, apk, apt, dnf, Nix

PAM module for two-factor authentication. Version 1.11 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:google-authenticator-libpam
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install google-authenticator-libpam
```

  Evidence: local Homebrew formula metadata

### Linux

- zypper (92%):

```sh
sudo zypper install google-authenticator-libpam
```

  Evidence: openSUSE Tumbleweed package metadata: google-authenticator-libpam from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

- apk (92%):

```sh
sudo apk add google-authenticator
```

  Evidence: Alpine Linux edge package indexes: google-authenticator from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

- Debian apt (92%):

```sh
sudo apt install libpam-google-authenticator
```

  Evidence: Debian stable package indexes: libpam-google-authenticator from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install google-authenticator
```

  Evidence: Fedora Rawhide package metadata: google-authenticator from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#google-authenticator
```

  Evidence: nixpkgs package indexes: pkgs/by-name/go/google-authenticator/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:google-authenticator-libpam
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/google-authenticator-libpam>
- **Version:** 1.11
- **Source summary:** PAM module for two-factor authentication
- **Homepage:** <https://github.com/google/google-authenticator-libpam>
- **Repository:** <https://github.com/google/google-authenticator-libpam>
- **Upstream docs:** <https://github.com/google/google-authenticator-libpam#readme>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/google/google-authenticator-libpam/archive/refs/tags/1.11.tar.gz>
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- google-authenticator (cli)
- google-authenticator (alias)

## Dependencies

- qrencode

## Build dependencies

- autoconf
- automake
- libtool

## Install behavior

- Post-install hook: not defined
- Caveats: Add 2-factor authentication for ssh: echo "auth required $HOMEBREW_PREFIX/opt/google-authenticator-libpam/lib/security/pam_google_authenticator.so" \ | sudo tee -a /etc/pam.d/sshd Add 2-factor authentication for ssh allowing users to log in without OTP: echo "auth required $HOMEBREW_PREFIX/opt/google-authenticator-libpam/lib/security/pam_google_authenticator.so" \ "nullok" | sudo tee -a /etc/pam.d/sshd (Or just manually edit /etc/pam.d/sshd)
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, sonoma, ventura, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.11
- Local data: ok
- Upstream repository: https://github.com/google/google-authenticator-libpam
- Upstream latest detected: 1.11 (current)
- info: No package-manager update timestamp was available.
## Project history and usage

google-authenticator-libpam is Google's PAM module and setup utility for adding HOTP or TOTP second-factor authentication to Unix login flows such as SSH and OpenVPN. Its package significance is unusually high for a small C/PAM project because it bridges standard one-time-password algorithms, the Google Authenticator app ecosystem, and distribution-level authentication stacks.

### Project history

The project implements a PAM module named pam_google_authenticator and a google-authenticator setup binary. The README describes it as an example PAM module for two-factor authentication to servers via SSH, OpenVPN, and similar services, and explicitly scopes it away from logging into Google or other TOTP/HOTP services.

The implementation is grounded in the HOTP and TOTP standards. RFC 4226 defined HMAC-based one-time passwords in 2005, and RFC 6238 extended HOTP with a time-based moving factor in 2011. The project's README cites both standards as the algorithms behind its one-time codes.

The GitHub repository was created in November 2016 under Google's organization, and Git tags show 1.03 through 1.11 release labels. The man page documents the PAM module interface, default secret-file behavior, security notes, and deployment options.

### Adoption history

The package is widely packaged under names such as google-authenticator-libpam, google-authenticator, and libpam-google-authenticator. The batch metadata records Homebrew, Alpine, Debian, Fedora, Nix, Ubuntu, and openSUSE-family package names, and Homebrew's formula page documents SSH PAM configuration snippets.

Its adoption comes from fitting an existing Unix security boundary: administrators can add an auth required pam_google_authenticator.so line to PAM configuration and let users enroll per-account secrets, rather than deploying a separate authentication server.

Because PAM is distribution- and service-sensitive, the project also exposes rollout controls such as nullok for users without a secret file, secret= for nonstandard secret locations, user= for alternate file access, owner and permission checks, time-skew handling, HOTP counter behavior, and combined password-code prompting.

### How it is used

A user typically runs google-authenticator to create ~/.google_authenticator. The setup can display a QR code when libqrencode is available, or provide a URL or alphanumeric secret that can be entered into an authenticator app.

An administrator enables the PAM module in a service configuration, commonly with an auth line for pam_google_authenticator.so. The module then prompts for a one-time code in addition to the normal password, using either time-based TOTP or counter-based HOTP depending on user setup and options.

The man page emphasizes that the secret file is per account, defaults to .google_authenticator in the user's home directory, and must satisfy ownership and permission checks unless explicitly relaxed.

### Why package nerds care

For package nerds, google-authenticator-libpam is a classic example of a small library package with outsized operational consequences. Packaging has to put a PAM shared object in the right security module path, install a user enrollment binary, and often provide service-specific post-install guidance.

It is also a good reminder that authentication packages are not just CLIs. Their paths, file permissions, PAM control flags, and distro integration details can determine whether users are protected, locked out, or silently bypassing a second factor.

### Timeline

- 2005: RFC 4226 publishes HOTP.
- 2011: RFC 6238 publishes TOTP as a time-based extension of HOTP.
- 2016-11: Google GitHub repository created.
- 2016-2026: Git tags show 1.03 through 1.11 release labels.
- 2026: README and man page document PAM setup, ~/.google_authenticator secrets, HOTP/TOTP behavior, and security-sensitive module options.

### Related projects

- Google Authenticator mobile apps generate compatible one-time codes for enrolled secrets.
- Linux-PAM and service PAM configurations such as sshd and OpenVPN are the integration surfaces for the module.
- pam_oath, FreeOTP, oathtool, and other OATH-compatible tooling occupy adjacent HOTP/TOTP authentication space.

### Sources

- <https://api.github.com/repos/google/google-authenticator-libpam>
- <https://formulae.brew.sh/formula/google-authenticator-libpam>
- <https://github.com/google/google-authenticator-libpam>
- <https://raw.githubusercontent.com/google/google-authenticator-libpam/master/README.md>
- <https://raw.githubusercontent.com/google/google-authenticator-libpam/master/man/pam_google_authenticator.8.md>
- <https://sources.debian.org/src/google-authenticator/>
- <https://www.rfc-editor.org/rfc/rfc4226>
- <https://www.rfc-editor.org/rfc/rfc6238>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Credential files

- Unix: ~/.google_authenticator
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** google-authenticator-libpam
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable

## Other Package-Manager Records

- zypper - google-authenticator-libpam - 1.10-3.3: normalized package name match | openSUSE Tumbleweed package metadata: google-authenticator-libpam from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Google Authenticator PAM module | https://github.com/google/google-authenticator-libpam
- Debian apt - libpam-google-authenticator - 20191231-2.1: installed executable or alias match | Debian stable package indexes: libpam-google-authenticator from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Two-step verification | https://github.com/google/google-authenticator-libpam
- Nix - google-authenticator: installed executable or alias match | nixpkgs package indexes: pkgs/by-name/go/google-authenticator/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Ubuntu apt - libpam-google-authenticator - 20191231-2build1: installed executable or alias match | Ubuntu 24.04 LTS package indexes: libpam-google-authenticator from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | Two-step verification | https://github.com/google/google-authenticator/
- apk - google-authenticator - 1.11-r0: installed executable or alias match | Alpine Linux edge package indexes: google-authenticator from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Google Authenticator PAM module | https://github.com/google/google-authenticator-libpam
- apk - google-authenticator-doc - 1.11-r0: installed executable or alias match | Alpine Linux edge package indexes: google-authenticator-doc from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Google Authenticator PAM module (documentation) | https://github.com/google/google-authenticator-libpam
- dnf - google-authenticator - 1.11-4.fc44: installed executable or alias match | Fedora Rawhide package metadata: google-authenticator from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | One-time pass-code support using open standards | https://github.com/google/google-authenticator-libpam/


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [qrencode](https://www.automicvault.com/pkg/brew/qrencode/) - Runtime dependency declared by Homebrew.
- [autoconf](https://www.automicvault.com/pkg/brew/autoconf/) - Build dependency declared by Homebrew.
- [automake](https://www.automicvault.com/pkg/brew/automake/) - Build dependency declared by Homebrew.
- [libtool](https://www.automicvault.com/pkg/brew/libtool/) - Build dependency declared by Homebrew.
- [oath-toolkit](https://www.automicvault.com/pkg/brew/oath-toolkit/) - Shares av.db curated category or tags: authentication, cli, pam, security, totp.
- [duo_unix](https://www.automicvault.com/pkg/brew/duo-unix/) - Shares av.db curated category or tags: authentication, cli, pam, security, two-factor-authentication.
- [linux-pam](https://www.automicvault.com/pkg/brew/linux-pam/) - Shares av.db curated category or tags: authentication, cli, pam, security.
- [rsc_2fa](https://www.automicvault.com/pkg/brew/rsc-2fa/) - Shares av.db curated category or tags: authentication, cli, security, totp, two-factor-authentication.
- [cotp](https://www.automicvault.com/pkg/brew/cotp/) - Shares av.db curated category or tags: authentication, cli, security, totp, two-factor-authentication.
- [cyrus-sasl](https://www.automicvault.com/pkg/brew/cyrus-sasl/) - Shares av.db curated category or tags: authentication, cli, security.
- [gauth](https://www.automicvault.com/pkg/brew/gauth/) - Shares av.db curated category or tags: authentication, cli, security, totp, two-factor-authentication.
- [krb5](https://www.automicvault.com/pkg/brew/krb5/) - Shares av.db curated category or tags: authentication, cli, security.
- [steamguard-cli](https://www.automicvault.com/pkg/brew/steamguard-cli/) - Security-sensitive metadata or terminology overlaps. Shared terms: authentication, cli, factor, security, totp.

## Combined YAML source

View the package source record on GitHub. [combined/google-authenticator-libpam.yml](https://github.com/automic-vault/db/blob/main/combined/google-authenticator-libpam.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
