= Google Authenticator for PAM =

Google Authenticator is pretty cool, it's like having one of those RSA SecurID tokens for two-factor auth.

I stumbled across this page which describes integrating it with PAM for SSH, the backend code is freely available.
http://guides.webbynode.com/articles/security/ubuntu-google-authenticator.html

It's not packaged or anything, but it's trivial to compile and put in the right place on a standard linux system. Their guide is very good, and inexperienced sysadmins can probably stumble through it without any specific knowledge.

== Experience ==

There's a couple of tiny things I'd change. Also worthy of note is that I haven't got it to work properly yet. >_>

But I can tell it's really close!

Symptoms:
 * When I first tried, it kept insisting that I wasn't providing a verification code (`/var/log/auth.log`)
 * I messed around some more, kept recompiling, and eventually stopped even getting error messages -_-
 * Gave up at this point, need to revisit

== Changes ==

Things I'd do differently.

 * Install it manually (I'm on Debian Squeeze x64)
  * `make all` instead of `make install`
  * Use `install` instead of `tar` and... wtf is this!? {{{
install -m 755 -g root google-authenticator /usr/local/bin/google-authenticator
install -m 644 pam_google_authenticator_testing.so /lib/security/pam_google_authenticator.so
}}}
 * Integration with PAM
  * Put it in `/etc/pam.d/sshd` instead of `/etc/pam.d/common-auth` (can FTP deal with this? will it just skip the challenge-response thing? I dunno)
  * You could, if you want, use this instead of a password (instead of in addition to a password). You do this by making the module `sufficient` instead of a `require`ment along with the password (pam_unix) {{{
auth    sufficient            pam_google_authenticator.so   echo-verification-code
}}}

The per-user config thing works just fine.