• Google_Authenticator_for_PAM

Google Authenticator for PAM

Google Authenticator is pretty cool, it's like having one of those RSA SecurID tokens for two-factor auth.

I stumbled across this page which describes integrating it with PAM for SSH, the backend code is freely available. http://guides.webbynode.com/articles/security/ubuntu-google-authenticator.html

It's not packaged or anything, but it's trivial to compile and put in the right place on a standard linux system. Their guide is very good, and inexperienced sysadmins can probably stumble through it without any specific knowledge.

Experience

There's a couple of tiny things I'd change. Also worthy of note is that I haven't got it to work properly yet. >_>

But I can tell it's really close!

Symptoms:

• When I first tried, it kept insisting that I wasn't providing a verification code (/var/log/auth.log)

• I messed around some more, kept recompiling, and eventually stopped even getting error messages -_-
• Gave up at this point, need to revisit

Changes

Things I'd do differently.

• Install it manually (I'm on Debian Squeeze x64)

  • make all instead of make install

  • Use install instead of tar and... wtf is this!?

    install -m 755 -g root google-authenticator /usr/local/bin/google-authenticator
    install -m 644 pam_google_authenticator_testing.so /lib/security/pam_google_authenticator.so

• Integration with PAM

  • Put it in /etc/pam.d/sshd instead of /etc/pam.d/common-auth (can FTP deal with this? will it just skip the challenge-response thing? I dunno)

  • You could, if you want, use this instead of a password (instead of in addition to a password). You do this by making the module sufficient instead of a requirement along with the password (pam_unix)

    auth    sufficient            pam_google_authenticator.so   echo-verification-code

The per-user config thing works just fine.