ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Lab Project: 2FA with Google Authenticator

    Scheduled Pinned Locked Moved IT Discussion
    jump serversshjumpbox2falinuxsecurity
    5 Posts 3 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stacksofplatesS
      stacksofplates
      last edited by stacksofplates

      Piggybacking off of @scottalanmiller's Jump Box tutorial, I'm going to create a quick tutorial for 2FA on a Jump Box or whatever you would like to use it on.

      First create a new Jump Box or use an existing server:

      Create_Server

      Update the server:

      yum update

      then install packages:

      yum install epel-release unzip fail2ban pam-devel make gcc wget automake autoconf libtool pam-devel qrencode ntp

      Download the github repo for Google Authenticator:

      wget https://github.com/google/google-authenticator/archive/master.zip

      Unzip:

      unzip master.zip

      Then:

      cd google-authenticator/libpam/

      Next compile google authenticator:

      ./bootstrap.sh
./configure
make
make install
ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so

      Add this line in /etc/pam.d/sshd

      auth       required     pam_google_authenticator.so

      Next:

      sed -r -i 's/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config

sed -r -i 's/ChallengeResponseAuthentication no/#ChallengeResponseAuthentication no/g' /etc/ssh/sshd_config

      Reload ssh:

      systemctl reload sshd

      Start ntp:

      systemctl start ntpd

      Finally use this to get the QR code and key

      google-authenticator -tdf --rate-limit=3 --rate-time=30 --window-size=17

      That's about it. Now you can use 2FA on your Jump Box or whatever server you choose.

      1 Reply Last reply Reply Quote 4
      • scottalanmillerS
        scottalanmiller
        last edited by

        That's awesome. This was actually on my list to do. Thanks!

        1 Reply Last reply Reply Quote 1
        • stacksofplatesS
          stacksofplates
          last edited by

          So I figured out that if you want to use key based authentication you need to change the line from

          auth       required     pam_google_authenticator.so

          to

          auth       sufficient     pam_google_authenticator.so

          You will also need to add this line to your /etc/ssh/sshd_config file:

          AuthenticationMethods publickey,keyboard-interactive

          Then set up the public key like you normally would and disable password logins. If you leave it as required, it will always ask you for a password.

          1 Reply Last reply Reply Quote 0
          • A
            Alex Sage
            last edited by

            Nice Guide. Can you please add a link to the Jumpbox guide, I missed it.....

            stacksofplatesS 1 Reply Last reply Reply Quote 1
            • stacksofplatesS
              stacksofplates @Alex Sage
              last edited by

              @anonymous said:

              Nice Guide. Can you please add a link to the Jumpbox guide, I missed it.....

              http://mangolassi.it/topic/6143/linux-lab-project-building-a-linux-jump-box

              1 Reply Last reply Reply Quote 0
              • 1 / 1
              • First post
                Last post