Google Authenticator for CentOS / Redhat/ Fedora
=====================================
root# pgrep ntpd
if not installed then install and config NTP
root# yum install ntp
root# chkconfig ntpd on
root# ntpdate bd.pool.ntp.org
root# service ntpd start
*** Install prerequisites:
yum install make gcc pam-devel
*** Install from Yum Repository ( only an old version of libpam-google-authenticator is available in the EPEL package repository)
root# yum install google-authenticator
*** Installing the EPEL repo (for CentOS 6):
# cd /tmp
# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
# rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
root# yum --enablerepo=epel install google-authenticator
-----------------------------------------------------------
OR..................................
OR... download and install libpam-google-authenticator from source
root# cd /tmp
# wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
# bunzip2 libpam-google-authenticator-1.0-source.tar.bz2
# tar xf libpam-google-authenticator-1.0-source.tar
# cd libpam-google-authenticator-1.0
# make
# make install
-----------------------------------------------------------
*** Switch to the user you want to setup Google 2-step verification for:
su tayab
[root@webmin1 ~]# su tayab
[tayab@webmin1 root]$ google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/tayab@webmin1.daffodilnet.com%3Fsecret%3DF6T7HZLEGMQBHSB2
Your new secret key is: F6T7HZLEGMQBHSB2
Your verification code is 183935
Your emergency scratch codes are:
87599562
70390819
80236452
71969046
12284653
Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
[tayab@webmin1 root]$
[tayab@webmin1 root]$ exit
*** Goto pam-ssh and add this line Top of the file
[root@webmin1 ~]# vi /etc/pam.d/ssh
# google authenticator
auth required pam_google_authenticator.so
*** Goto sshd_config file and modify 'no' to 'yes'
[root@webmin1 ~]# vi /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
*** Restart SSH service
[root@webmin1 ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@webmin1 ~]#
*** now login via ssh .. you have to enter google-authenticator code and then password to login..
*** copy your link and browse via any browser:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/tayab@webmin1.daffodilnet.com%3Fsecret%3DF6T7HZLEGMQBHSB2
This will show a Barcode..
*** Open your Android Mobile
Download android apps from google play
1) Google Authenticator
2) Barcode Scanner
Open Barcode Scanner and Scan this barcode from browser
This will give a code ..
Give this code when you login via ssh and then ssh will ask users password
** Skip Google Authenticator Authentication if Logging in from the Local Network
You may trust systems on you local network enough not not require that SSH connections from them use Google Authenticator. If so, modify /etc/pam.d/sshd so that it looks like this:
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so
Then add the file /etc/security/access-local.conf with the contents:
# Google Authenticator can be skipped on local network
+ : ALL : 192.168.0.0/24
+ : ALL : LOCAL
- : ALL : ALL
No comments:
Post a Comment