Google-authenticator
From Notes_Wiki
<yambe:breadcrumb>Security tools</yambe:breadcrumb>
google authenticator
We can use google-authenticator for setting up to two factor authentication on Linux systems. To setup authentication follow these steps:
- Download latest version using 'git clone https://code.google.com/p/google-authenticator' or from http://code.google.com/p/google-authenticator/downloads/list
- Compile using 'make' and install using 'make install'
- Additionally copy file pam_google_authenticator.so to /lib/security using 'cp pam_google_authenticator.so /lib/security'
- Add line ' auth required pam_google_authenticator.so' at the top of file '/etc/pam.d/sshd'
- Use 'yum -y install qrencode'
- Type 'google-authenticator' for user for whom you want to setup two factor authentication and scan the qrcode using Google authenticator andriod app. Andriod app can be installed from https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
- Ensure that SELinux is either disabled or set proper labels on pam module binaries that got installed.
- Edit '/etc/ssh/sshd_config' and set 'ChallengeResponseAuthentication yes'
- Restart sshd service
- Save generated "One time passwords" at secure location
- Test by using ssh to given account of given machine
Disable google-authenticator for trusted machines
To disable google-authenticator for trusted machines use:
- Edit '/etc/pam.d/sshd' such that it has following starting lines:
- auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
- auth required pam_google_authenticator.so
- Now create file '/etc/security/access-local.conf</tt?' with contents similar to
- + : ALL : 10.0.0.0/24
- + : ALL : LOCAL
- - : ALL : ALL
- Then use 'service sshd restart'
- Then try to ssh from trusted machine to verify that password is still being prompted (unless key based authentication is used) but google authenticator verfication code is not prompted.