Lab Project: 2FA with Google Authenticator
-
Piggybacking off of @scottalanmiller's Jump Box tutorial, I'm going to create a quick tutorial for 2FA on a Jump Box or whatever you would like to use it on.
First create a new Jump Box or use an existing server:
Update the server:
yum update
then install packages:
yum install epel-release unzip fail2ban pam-devel make gcc wget automake autoconf libtool pam-devel qrencode ntp
Download the github repo for Google Authenticator:
wget https://github.com/google/google-authenticator/archive/master.zip
Unzip:
unzip master.zip
Then:
cd google-authenticator/libpam/
Next compile google authenticator:
./bootstrap.sh ./configure make make install ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so
Add this line in /etc/pam.d/sshd
auth required pam_google_authenticator.so
Next:
sed -r -i 's/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config sed -r -i 's/ChallengeResponseAuthentication no/#ChallengeResponseAuthentication no/g' /etc/ssh/sshd_config
Reload ssh:
systemctl reload sshd
Start ntp:
systemctl start ntpd
Finally use this to get the QR code and key
google-authenticator -tdf --rate-limit=3 --rate-time=30 --window-size=17
That's about it. Now you can use 2FA on your Jump Box or whatever server you choose.
-
That's awesome. This was actually on my list to do. Thanks!
-
So I figured out that if you want to use key based authentication you need to change the line from
auth required pam_google_authenticator.so
to
auth sufficient pam_google_authenticator.so
You will also need to add this line to your
/etc/ssh/sshd_config
file:AuthenticationMethods publickey,keyboard-interactive
Then set up the public key like you normally would and disable password logins. If you leave it as required, it will always ask you for a password.
-
Nice Guide. Can you please add a link to the Jumpbox guide, I missed it.....
-
@anonymous said:
Nice Guide. Can you please add a link to the Jumpbox guide, I missed it.....
http://mangolassi.it/topic/6143/linux-lab-project-building-a-linux-jump-box