Vadim Grinco It's not denial. I'm just selective about the reality i accept.

4Dec/123

Google Authenticator PAM module for RHEL6

I thought I would give it a try to google authenticator pam module so I built it for RHEL6. You should theoretically be able to use it on any derivative tree including CentOS, Scientific Linux, and others.

Instructions:

# Configure my repo

wget -O /etc/yum.repos.d/chaos.repo http://yum.vadimgrinco.com/repo/rhel/chaos.repo

# Install google authenticator pam module and its dependencies

yum -y install libpam-google-authenticator

# Run the initial configuration of google authenticator and scan the QR code

google-authenticator

# Edit /etc/pam.d/sshd to enable google authenticator

sed -e "s/auth.*include.*password-auth/authtrequiredtpam_google_authenticator.son/" -i /etc/pam.d/sshd

Now it's time to configure sshd for challange-response auth:

# disable plain password authentication over encrypted tunnel (default)

sed -e "s/PasswordAuthentication.*/PasswordAuthentication no/" -i /etc/ssh/sshd_config

# enable challenge-response authentication

sed -e "s/ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" -i /etc/ssh/sshd_config

# enable pam support

sed -e "s/UsePAM.*/UsePAM yes/" -i /etc/ssh/sshd_config

Restart sshd and enjoy the new security feature of your server.

Filed under: RHEL, Security Leave a comment
Comments (3) Trackbacks (0)
  1. Update #1
    Only x86_64 version works, need to rebuild i386 since it has wrong dependencies.

  2. Update #2
    RPM was properly rebuilt for i686, enjoy.

  3. Update #3
    If you’re using SELinux on your machine, then having the secret stored in the usual location (your home directory) is not an option.

    As a workaround you can move it to ~/.ssh directory and reconfigure PAM properly:
    # Move the existing authenticator settings to .ssh
    mv .google_authenticator .ssh/
    # Restore context to make sure sshd will be able to read it
    restorecon -Fv .ssh/.google_authenticator
    # Configure PAM to look for the secrets file in the right place
    sed -e "s/auth.*required.*pam_google_authenticator.*/ secret=${HOME}/.ssh/.google_authenticator/" -i /etc/pam.d/sshd

    (assuming that you followed the guide above and you have pam configured for google authenticator)


Leave a comment

 

No trackbacks yet.