Meidokon Wiki
  • Comments
  • Immutable Page
  • Menu
    • Navigation
    • RecentChanges
    • FindPage
    • Local Site Map
    • Help
    • HelpContents
    • HelpOnMoinWikiSyntax
    • Display
    • Attachments
    • Info
    • Raw Text
    • Print View
    • Edit
    • Load
    • Save
  • Login

Useful(?) links

  • furinkan's stuff

  • Postfix snippets

  • SystemInfo

  • This sidebar

Navigation

  • FrontPage
  • RecentChanges
  • FindPage
  • HelpContents

Upload page content

You can upload content for the page named below. If you change the page name, you can also upload content for another page. If the page name is empty, we derive the page name from the file name.

File to load page content from
Page name
Comment

MeidokonWiki:
  • Google_Authenticator_for_PAM

Google Authenticator for PAM

Google Authenticator is pretty cool, it's like having one of those RSA SecurID tokens for two-factor auth.

I stumbled across this page which describes integrating it with PAM for SSH, the backend code is freely available. http://guides.webbynode.com/articles/security/ubuntu-google-authenticator.html

It's not packaged or anything, but it's trivial to compile and put in the right place on a standard linux system. Their guide is very good, and inexperienced sysadmins can probably stumble through it without any specific knowledge.

Experience

There's a couple of tiny things I'd change. Also worthy of note is that I haven't got it to work properly yet. >_>

But I can tell it's really close!

Symptoms:

  • When I first tried, it kept insisting that I wasn't providing a verification code (/var/log/auth.log)

  • I messed around some more, kept recompiling, and eventually stopped even getting error messages -_-
  • Gave up at this point, need to revisit

Changes

Things I'd do differently.

  • Install it manually (I'm on Debian Squeeze x64)

    • make all instead of make install

    • Use install instead of tar and... wtf is this!? 

      install -m 755 -g root google-authenticator /usr/local/bin/google-authenticator
install -m 644 pam_google_authenticator_testing.so /lib/security/pam_google_authenticator.so
  • Integration with PAM

    • Put it in /etc/pam.d/sshd instead of /etc/pam.d/common-auth (can FTP deal with this? will it just skip the challenge-response thing? I dunno)

    • You could, if you want, use this instead of a password (instead of in addition to a password). You do this by making the module sufficient instead of a requirement along with the password (pam_unix) 

      auth    sufficient            pam_google_authenticator.so   echo-verification-code

The per-user config thing works just fine.

  • MoinMoin Powered
  • Python Powered
  • GPL licensed
  • Valid HTML 4.01
MoinMoin Release 1.9.11 [Revision release], Copyright by Juergen Hermann et al.