Google-authenticator

From Notes_Wiki
Revision as of 04:19, 13 November 2012 by Saurabh (talk | contribs) (Created page with "=google authenticator= We can use google-authenticator for setting up to two factor authentication on Linux systems. To setup authentication follow these steps: #Download lat...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

google authenticator

We can use google-authenticator for setting up to two factor authentication on Linux systems. To setup authentication follow these steps:

  1. Download latest version using 'git clone https://code.google.com/p/google-authenticator' or from http://code.google.com/p/google-authenticator/downloads/list
  2. Compile using 'make' and install using 'make install'
  3. Additionally copy file pam_google_authenticator.so to /lib/security using 'cp pam_google_authenticator.so /lib/security'
  4. Add line ' auth required pam_google_authenticator.so' at the top of file '/etc/pam.d/sshd'
  5. Use 'yum -y install qrencode'
  6. Type 'google-authenticator' for user for whom you want to setup two factor authentication and scan the qrcode using Google authenticator andriod app. Andriod app can be installed from https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
  7. Ensure that SELinux is either disabled or set proper labels on pam module binaries that got installed.
  8. Edit '/etc/ssh/sshd_config' and set 'ChallengeResponseAuthentication yes'
  9. Restart sshd service
  10. Save generated "One time passwords" at secure location
  11. Test by using ssh to given account of given machine


Disable google-authenticator for trusted machines

To disable google-authenticator for trusted machines use:

  1. Edit '/etc/pam.d/sshd' such that it has following starting lines:
    auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
    auth required pam_google_authenticator.so
  2. Now create file '/etc/security/access-local.conf</tt?' with contents similar to
    + : ALL : 10.0.0.0/24
    + : ALL : LOCAL
    - : ALL : ALL
  3. Then use 'service sshd restart'
  4. Then try to ssh from trusted machine to verify that password is still being prompted (unless key based authentication is used) but google authenticator verfication code is not prompted.