Eric Anderson

Archive

03

• Google Authenticator

  Google Authenticator

  Author: Eric Anderson
  Heirarchy: 03 < December < 2011 < Archive < Eric Anderson

  I have been happily using two-factor authentication with my Google account for months. I appreciate the added security and it hasn't been much hastle.

  I decided it would be a good idea to implement something similar for access to my server. There are several options available, but I selected using pam_google_authenticator. It integrates with the Google Authenticator phone application and supports backup OTPs for when your phone is unavailable.

  Since I am using Arch, the process begins with installing the google-authenticator-libpam-hg package from AUR. Normally this would be an easy task, but for some reason hg clone fails during building. I worked around the problem by running hg clone https://code.google.com/p/google-authenticator command manually in my home directory, and then creating a symlink to it for use in the build script. I also installed qrencode for generating QR codes.

  Now that it is installed, you have to configure PAM to make use of the new module. I created a new file /etc/pam.d/google-authenticator with the contents:

  #%PAM-1.0
  auth	sufficient	pam_access.so accessfile=/etc/security/access-local.conf
  auth	sufficient	pam_succeed_if.so user notin some:users:here
  auth	required	pam_google_authenticator.so

  The pam_google_authenticator module does the real work, but there are only two cases that I want to require the OTP. I want to require the OTP for all connections from the Internet, but not my LAN. Thus pam_access, with the help of additional configuration, does just that. When turned on, pam_google_authenticator requires all users to use OTP with no provision for users who haven't setup their two-factor authentication yet (it would simply prevent them from logging in). There are several patches I could have applied to fix this problem, but I just went with the simple approach of manually configuring the list of users I want to use two-factor authentication with the pam_succeed_if module. some:users:here is a colon-separated list of users that will be using two-factor authn.

  For pam_access, I created /etc/security/access-local.conf:

  + : ALL : 10.0.0.0/24
  + : ALL : LOCAL
  - : ALL : ALL

  The first line is where you define your network's subnet. It should likely be something like 192.168.1.0/24.

  To allow PAM to query additional information via SSH, you need to make sure that ChallengeResponseAuthentication is not set to no in /etc/ssh/sshd_config. The default is yes, but in Arch they set it to no, so I just commented out that line in the config and restarted SSH.

  As my normal user, I ran google-authenticator which generated a TOTP secret in my home directory. (Assumably) since I had qrencode installed, it also provided a very nice QR code (in the termal even!) that I scanned with my phone to configure the Google Authenticator Android application.

  All the preparation work is complete, I now need to enable the setup for ssh. In /etc/pam.d/sshd I added a line under auth required pam_unix.so ...:

  auth	substack	google-authenticator

  After a bit of testing, I verified everything was running as I expected and I now have two-factor authentication for accessing my server via SSH. To enable two-factor for additional accounts I will have the account user run google-authenticator and setup their phone, after which I will add them to the list passed to pam_succeed_if.

• Fluid Layout (Default)
• Fixed Width Layout