I thought I would give it a try to google authenticator pam module so I built it for RHEL6. You should theoretically be able to use it on any derivative tree including CentOS, Scientific Linux, and others.
Instructions:
# Configure my repo
wget -O /etc/yum.repos.d/chaos.repo http://yum.vadimgrinco.com/repo/rhel/chaos.repo |
# Install google authenticator pam module and its dependencies
yum -y install libpam-google-authenticator |
# Run the initial configuration of google authenticator and scan the QR code
google-authenticator |
# Edit /etc/pam.d/sshd to enable google authenticator
sed -e "s/auth.*include.*password-auth/authtrequiredtpam_google_authenticator.son/" -i /etc/pam.d/sshd |
Now it’s time to configure sshd for challange-response auth:
# disable plain password authentication over encrypted tunnel (default)
sed -e "s/PasswordAuthentication.*/PasswordAuthentication no/" -i /etc/ssh/sshd_config |
# enable challenge-response authentication
sed -e "s/ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" -i /etc/ssh/sshd_config |
# enable pam support
sed -e "s/UsePAM.*/UsePAM yes/" -i /etc/ssh/sshd_config |
Restart sshd and enjoy the new security feature of your server.
Update #1
Only x86_64 version works, need to rebuild i386 since it has wrong dependencies.
Update #2
RPM was properly rebuilt for i686, enjoy.
Update #3
If you’re using SELinux on your machine, then having the secret stored in the usual location (your home directory) is not an option.
As a workaround you can move it to ~/.ssh directory and reconfigure PAM properly:
# Move the existing authenticator settings to .ssh
mv .google_authenticator .ssh/# Restore context to make sure sshd will be able to read it
restorecon -Fv .ssh/.google_authenticator# Configure PAM to look for the secrets file in the right place
sed -e "s/auth.*required.*pam_google_authenticator.*/ secret=${HOME}/.ssh/.google_authenticator/" -i /etc/pam.d/sshd(assuming that you followed the guide above and you have pam configured for google authenticator)