Monday, April 27, 2015

Two factor authencation using google-authenticator.(Linux)



#Two factor authencation using google-authenticator.
#If we use ssh key-based(public and private key) authentication or password based, one more authentication step will surely tight login security. Suppose,when our password is compromised or key is stolen by accident, one more step using mobile gadget will ensure better security.

#Here are my step (centos7 based)

#First install packages to set up google-authenticator
[root@ct7 ~]# yum install pam-devel
Total download size: 183 k
Installed size: 528 k
Is this ok [y/d/N]: y
Downloading packages:
pam-devel-1.1.8-12.el7.x86_64.rpm | 183 kB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : pam-devel-1.1.8-12.el7.x86_64 1/1
Verifying : pam-devel-1.1.8-12.el7.x86_64 1/1
Installed:
pam-devel.x86_64 0:1.1.8-12.el7
[root@ct7 ~]# yum install gcc wget
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: www.ftp.ne.jp
* extras: centos.mirror.cdnetworks.com
* updates: mirror.fairway.ne.jp
Package gcc-4.8.3-9.el7.x86_64 already installed and latest version
Package wget-1.14-10.el7_0.1.x86_64 already installed and latest version
Nothing to do
#To test I add user tester.
[root@ct7 ~]# useradd tester -s /bin/bash -m
[root@ct7 ~]# passwd tester
Changing password for user tester.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

From host ssh to vm centos7.
whatsup@whatsup-To-be-filled-by-O-E-M ~ $ ssh tester@10.0.0.11
Password:
Last login: Tue Apr 28 06:26:36 2015 from 10.0.0.1
[tester@ct7 ~]$
#To use PAM module.
[root@ct7 ~]# vi /etc/ssh/sshd_config
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes
[root@ct7 ~]# service sshd restart
Redirecting to /bin/systemctl restart sshd.service
#Now install google-authenticator.
[root@ct7 ~]# wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
--2015-04-28 06:27:37-- http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
Resolving google-authenticator.googlecode.com (google-authenticator.googlecode.com)... 74.125.203.82, 2404:6800:4008:c04::52
Connecting to google-authenticator.googlecode.com (google-authenticator.googlecode.com)|74.125.203.82|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 32708 (32K) [application/x-bzip2]
Saving to: ‘libpam-google-authenticator-1.0-source.tar.bz2’
100%[======================================>] 32,708 143KB/s in 0.2s
2015-04-28 06:27:38 (143 KB/s) - ‘libpam-google-authenticator-1.0-source.tar.bz2’ saved [32708/32708] 

#Untar
[root@ct7 ~]# tar xvf libpam-google-authenticator-1.0-source.tar.bz2
libpam-google-authenticator-1.0/base32.c
libpam-google-authenticator-1.0/demo.c
libpam-google-authenticator-1.0/google-authenticator.c
libpam-google-authenticator-1.0/hmac.c
libpam-google-authenticator-1.0/pam_google_authenticator.c
libpam-google-authenticator-1.0/pam_google_authenticator_unittest.c
libpam-google-authenticator-1.0/sha1.c
libpam-google-authenticator-1.0/base32.h
libpam-google-authenticator-1.0/hmac.h
libpam-google-authenticator-1.0/sha1.h
libpam-google-authenticator-1.0/totp.html
libpam-google-authenticator-1.0/Makefile
libpam-google-authenticator-1.0/FILEFORMAT
libpam-google-authenticator-1.0/README
libpam-google-authenticator-1.0/utc-time/
libpam-google-authenticator-1.0/utc-time/app.yaml
libpam-google-authenticator-1.0/utc-time/utc-time.py
#Make and install.
[root@ct7 ~]# cd libpam-google-authenticator-1.0
[root@ct7 libpam-google-authenticator-1.0]# make

 
[root@ct7 libpam-google-authenticator-1.0]# make install
cp pam_google_authenticator.so /lib64/security
cp google-authenticator /usr/local/bin 


 
#I use iPhone. We should install google-authenticator.


 

 #Execute google-authenticator as follows. In most case, answer is y.
 #/usr/local/bin/google-authenticator

The pic with barcode won't upload...


#Scan a barcode from your mobile.

The pic with barcode won't upload...


 #Edit PAM's sshd
[root@ct7 ~]# vi /etc/pam.d/sshd
#%PAM-1.0
#auth required pam_sepermit.so
auth required pam_google_authenticator.so
 
Verifacation code changes every 30 seconds like belows by default.



Now we have to input verification code for ssh login.
Example testing.
whatsup@host$ ssh tester@10.0.0.11
Verification code:
Password:
Last login: Tue Apr 28 06:38:19 2015
[tester@ct7 ~]$


#Well it is simple and easy. In case of Ubuntu, installation is easier by searching as follows.

ubuntu ~ # apt-cache search google-authenticator
libpam-google-authenticator - Two-step verification


#This can be used for sudo

Taking a scan is same as before.
#Let me show how to. As a root.
ubuntu ~ # vi /etc/pam.d/sudo

#%PAM-1.0
#Comment every line except pam_google_authenticator.so .
auth required pam_google_authenticator.so
#auth required pam_env.so readenv=1 user_readenv=0
#auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
#@include common-auth
#@include common-account
#@include common-session-noninteractive

#Testing.
ubuntu~ $ sudo su
Verification code:
ubuntu~ #
This process could be applied to login or etc.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)