Google Authenticator PAM - SynoCommunity/spksrc GitHub Wiki

Introduction

This module installs google authenticator as a package for the libpam. This allows you to use google authenticator to generates TOTP (Time-based One-Time Password) when signing into services on your Synology, with services such as ssh.

Installing this package alone would have no effects, as it will require users to manually utilised the installed .so file in their authentication service.

Setup for SSH

See other guides, e.g., this, for a more in-depth guide on how to configure google authenticator on a server.

The following setups are for scenarios such that ssh into the server with a password requires TOTP, and ssh with public-key auth will not. This is suitable for me as I always use public-key to access my server. However, occasionally I also want to access my NAS on someone else's machine with a password. With google authenticator, any attempt on logging in with a password will also prompt TOTP.

Edit /etc/ssh/sshd_config

Use your prefer editor to edit your /etc/ssh/sshd_config file (require sudo)

$ sudo vim /etc/ssh/sshd_config
# the following is for ssh-ing with password
PasswordAuthentication yes
PermitEmptyPasswords no

# the following is needed for using challenge-response authentication
ChallengeResponseAuthentication yes

# the follow probably had already been set
UsePAM yes

# for good measure, never permits root login
PermitRootLogin no

Edit /etc/pam.d/sshd

$ sudo vim /etc/pam.d/sshd
  ...
  auth    requisite                     pam_syno_ipblocklist.so
+ auth    required /var/packages/google-authenticator-libpam/target/lib/security/pam_google_authenticator.so nullok
  auth    [success=3 default=ignore]    pam_unix.so
  auth    [success=2 default=ignore]    pam_winbind.so use_first_pass
  auth    [success=1 default=ignore]    pam_ldap.so
  auth    [default=die]                 pam_syno_log_fail.so [SSH]
  auth    [default=done]                pam_syno_log_success.so [SSH] log=no
  account [success=3 default=ignore]    pam_unix.so
  ...

Generate config for Google authenticator

Use the packaged binary to generates the config for google_authenticator

$ sc-google-authenticator

Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/soraxas@hostname%3Fsecret%XXXXXXXXXXXXXXXX
...
$ cat ~/.google_authenticator
XXXXXXXXXXXXXXXXXXX
" RATE_LIMIT X XX XXXXXXXXX XXXXXXXXX
" WINDOW_SIZE XX
" DISALLOW_REUSE XXXXXXX
" TOTP_AUTH
XXXXXXXX
XXXXXXXX
XXXXXXXX
XXXXXXXX
XXXXXXXX

Make sure that the file is less permissive than 600, e.g.

sudo chmod 600 ~/.google_authenticator

Note: on some NAS it might already contains their own version of google-authenticator at system path, which is likely how Synology implements their own customised version of their 2FA solution. However, it was found to generates invalid base64 encoded secrets (which is not usable on common 2FA android app). See #4852 for details. Therefore, the version that this package provides is symlinked as sc-google-authenticator instead to avoid name conflict.

Result

The result is any ssh to the server without public key auth will require you to also provide a verification code from your app

$ ssh synology
(foo@synology) Verification code: 
(foo@synology) Password: 
foo@synology ~ $