Saturday, June 27, 2015

Google Authenticator for CentOS / Redhat / Fedora

Google Authenticator for CentOS / Redhat/ Fedora
First, I would recommend installing NTP (Network Time Protocol) to ensure the server's time is synchronized because Google Authenticator uses time-based codes/tokens that will fail if server time is not correct. Check if NTP is already running
root# pgrep ntpd
if not installed then install and config NTP
root# yum install ntp
root# chkconfig ntpd on
root# ntpdate
root# service ntpd start

*** Install prerequisites:
yum install make gcc pam-devel

*** Install from Yum Repository ( only an old version of libpam-google-authenticator is available in the EPEL package repository)

root# yum install google-authenticator

*** Installing the EPEL repo (for CentOS 6):
# cd /tmp
# wget
# wget
# rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

root# yum --enablerepo=epel install google-authenticator

OR... download and install libpam-google-authenticator from source
root# cd /tmp
# wget
# bunzip2 libpam-google-authenticator-1.0-source.tar.bz2
# tar xf libpam-google-authenticator-1.0-source.tar
# cd libpam-google-authenticator-1.0
# make
# make install

*** Switch to the user you want to setup Google 2-step verification for:

su tayab

[root@webmin1 ~]# su tayab

[tayab@webmin1 root]$ google-authenticator|0&cht=qr&chl=otpauth://totp/
Your new secret key is: F6T7HZLEGMQBHSB2
Your verification code is 183935
Your emergency scratch codes are:

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

[tayab@webmin1 root]$

[tayab@webmin1 root]$  exit

*** Goto pam-ssh and add this line  Top of the file

[root@webmin1 ~]# vi /etc/pam.d/ssh

# google authenticator
auth required

*** Goto sshd_config file and  modify 'no' to 'yes'
[root@webmin1 ~]# vi /etc/ssh/sshd_config
ChallengeResponseAuthentication yes

*** Restart SSH service
[root@webmin1 ~]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
[root@webmin1 ~]#

*** now login via ssh .. you have to enter google-authenticator code and then password to login..

*** copy your link and browse via any browser:|0&cht=qr&chl=otpauth://totp/

This will show a Barcode..

*** Open your Android Mobile

Download android apps from google play
1) Google Authenticator
2) Barcode Scanner

Open  Barcode Scanner and Scan this barcode from browser

This will give a code ..

Give this code when you login via ssh and then ssh will ask users password

** Skip Google Authenticator Authentication if Logging in from the Local Network

You may trust systems on you local network enough not not require that SSH connections from them use Google Authenticator. If so, modify /etc/pam.d/sshd so that it looks like this:

auth [success=1 default=ignore] accessfile=/etc/security/access-local.conf
auth       required
Then add the file /etc/security/access-local.conf with the contents:

# Google Authenticator can be skipped on local network
+ : ALL :
- : ALL : ALL

No comments:

Post a Comment