CentOS Two Factor Authentication with Google Authenticator
-
No package google-authenticator available.
-
The PAM Module is no longer provided in EPEL for EL7
-
Looks like a lot of places are having the same issue that they are posting the repo info but it does not exist. You can do this instead...
yum install gcc gcc++ make python python-devel git pam-devel cd /tmp git clone https://code.google.com/p/google-authenticator/ cd google-authenticator/libpam make make install cd /tmp rm -Rf google-authenticator/ -
I used this guide: http://www.thefallenphoenix.net/2015/03/ssh-multi-factor-centos-7/
But like a idiot, I setup the root account, not my account.....
This will cause a issue if for some reason Google Authenticator doesn't work, right?
-
@Aaron-Studer said:
I used this guide: http://www.thefallenphoenix.net/2015/03/ssh-multi-factor-centos-7/
But like a idiot, I setup the root account, not my account.....
This will cause a issue if for some reason Google Authenticator doesn't work, right?
Yes, that would be a problem
-
This seems like it might be a better option
-
This looks much, much easier to install/use:
-
How To Install Authy And Configure Two-Factor Authentication For SSH
https://www.digitalocean.com/community/tutorials/how-to-install-authy-and-configure-two-factor-authentication-for-ssh -
I don't like SMS as an authentication method because I've found SMS to be very unreliable. Here in Europe it is tons more reliable than in the US, but you don't want a tower outage or being in a "dead spot" to stop authentication. I worry enough about the "on the phone" app losing power (my phone is dead right this second, for example) or getting lost or whatever causing a lack of access but using SMS on the phone adds secondary network connectivity as an additional breaking point.
If I lose my phone, phone breaks, battery is dead, I lose cell coverage OR I lose network access I can't log in. That is more and more points of failure.
-
Also, SMS is not secure at all. I've had SMS hijacked before. So less than ideal as a security method. It's a second factor so that is not the end of the world, but I have definitely spent a year working in a situation where that would not have been a second factor at all and using it would have been nothing but a placebo.
-
@scottalanmiller said:
I don't like SMS as an authentication method because I've found SMS to be very unreliable. Here in Europe it is tons more reliable than in the US, but you don't want a tower outage or being in a "dead spot" to stop authentication. I worry enough about the "on the phone" app losing power (my phone is dead right this second, for example) or getting lost or whatever causing a lack of access but using SMS on the phone adds secondary network connectivity as an additional breaking point.
If I lose my phone, phone breaks, battery is dead, I lose cell coverage OR I lose network access I can't log in. That is more and more points of failure.
I completely agree. This is why I use Authy. No SMS.
Best part of all it is removes the requirement to use your phone.
-
Ah, Authy doesn't require SMS? Cool, will look into it more then.
-
@scottalanmiller I think your confusing Two Factor Authentication with SMS.
You can do 2FA with SMS, but it's not as common anymore.
Take a look at this link: http://security.stackexchange.com/questions/47901/how-does-authys-2fa-work-if-it-doesnt-connect-to-the-server
-
If Authy would integrate with Touch ID, that would be amazing!
-
This is also a good read: http://stackshare.io/posts/how-authy-built-a-fault-tolerant-two-factor-authentication-service/
-
@scottalanmiller said:
(my phone is dead right this second, for example)
Authy lets to sync across devices, so unless you phone/iPad/computer/Wife's Phone are all dead, then it still works!
-
@Aaron-Studer said:
@scottalanmiller I think your confusing Two Factor Authentication with SMS.
No, I definitely know what both are. I think you are quoting someone who was wrong in the article because someone said that to them there too trying to claim that a code over SMS isn't two factor authentication, but it most certainly is as they get pointed out in the article too.
All the images I see of Authy show it uses SMS codes as its second factor. Hence why I thought that that was what they used. If they don't use insecure SMS, why do they advertise it so much?
-
Also, you can use Authy completely offline
-
I see on their site that SMS is a fallback. They show way too many pictures of it, it make it look like SMS was the process, not an emergency fallback for people living in the dark ages.
-
This post is deleted!
