Google Authenticator PAM module for RHEL6

I thought I would give it a try to google authenticator pam module so I built it for RHEL6. You should theoretically be able to use it on any derivative tree including CentOS, Scientific Linux, and others.

Instructions:

# Configure my repo

wget -O /etc/yum.repos.d/chaos.repo http://yum.vadimgrinco.com/repo/rhel/chaos.repo

# Install google authenticator pam module and its dependencies

yum -y install libpam-google-authenticator

# Run the initial configuration of google authenticator and scan the QR code

google-authenticator

# Edit /etc/pam.d/sshd to enable google authenticator

sed -e "s/auth.*include.*password-auth/authtrequiredtpam_google_authenticator.son/" -i /etc/pam.d/sshd

Now it’s time to configure sshd for challange-response auth:

# disable plain password authentication over encrypted tunnel (default)

sed -e "s/PasswordAuthentication.*/PasswordAuthentication no/" -i /etc/ssh/sshd_config

# enable challenge-response authentication

sed -e "s/ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" -i /etc/ssh/sshd_config

# enable pam support

sed -e "s/UsePAM.*/UsePAM yes/" -i /etc/ssh/sshd_config

Restart sshd and enjoy the new security feature of your server.

Join the Conversation

3 Comments

  1. Update #3
    If you’re using SELinux on your machine, then having the secret stored in the usual location (your home directory) is not an option.

    As a workaround you can move it to ~/.ssh directory and reconfigure PAM properly:
    # Move the existing authenticator settings to .ssh
    mv .google_authenticator .ssh/
    # Restore context to make sure sshd will be able to read it
    restorecon -Fv .ssh/.google_authenticator
    # Configure PAM to look for the secrets file in the right place
    sed -e "s/auth.*required.*pam_google_authenticator.*/ secret=${HOME}/.ssh/.google_authenticator/" -i /etc/pam.d/sshd

    (assuming that you followed the guide above and you have pam configured for google authenticator)

Leave a comment

Your email address will not be published. Required fields are marked *