Lab Project: 2FA with Google Authenticator



  • Piggybacking off of @scottalanmiller's Jump Box tutorial, I'm going to create a quick tutorial for 2FA on a Jump Box or whatever you would like to use it on.

    First create a new Jump Box or use an existing server:

    Create_Server

    Update the server:

    yum update
    

    then install packages:

    yum install epel-release unzip fail2ban pam-devel make gcc wget automake autoconf libtool pam-devel qrencode ntp
    

    Download the github repo for Google Authenticator:

    wget https://github.com/google/google-authenticator/archive/master.zip
    

    Unzip:

    unzip master.zip
    

    Then:

    cd google-authenticator/libpam/
    

    Next compile google authenticator:

    ./bootstrap.sh
    ./configure
    make
    make install
    ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so
    

    Add this line in /etc/pam.d/sshd

    auth       required     pam_google_authenticator.so
    

    Next:

    sed -r -i 's/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config
    
    sed -r -i 's/ChallengeResponseAuthentication no/#ChallengeResponseAuthentication no/g' /etc/ssh/sshd_config
    

    Reload ssh:

    systemctl reload sshd
    

    Start ntp:

    systemctl start ntpd
    

    Finally use this to get the QR code and key

    google-authenticator -tdf --rate-limit=3 --rate-time=30 --window-size=17
    

    That's about it. Now you can use 2FA on your Jump Box or whatever server you choose.


  • Service Provider

    That's awesome. This was actually on my list to do. Thanks!



  • So I figured out that if you want to use key based authentication you need to change the line from

    auth       required     pam_google_authenticator.so
    

    to

    auth       sufficient     pam_google_authenticator.so
    

    You will also need to add this line to your /etc/ssh/sshd_config file:

    AuthenticationMethods publickey,keyboard-interactive
    

    Then set up the public key like you normally would and disable password logins. If you leave it as required, it will always ask you for a password.



  • Nice Guide. Can you please add a link to the Jumpbox guide, I missed it.....



  • @anonymous said:

    Nice Guide. Can you please add a link to the Jumpbox guide, I missed it.....

    http://mangolassi.it/topic/6143/linux-lab-project-building-a-linux-jump-box



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.