Google Authenticator PAM - SynoCommunity/spksrc GitHub Wiki
Introduction
This module installs google authenticator as a package for the libpam. This allows you to use google authenticator to generates TOTP (Time-based One-Time Password) when signing into services on your Synology, with services such as ssh.
Installing this package alone would have no effects, as it will require users to manually utilised the installed .so
file in their authentication service.
Setup for SSH
See other guides, e.g., this, for a more in-depth guide on how to configure google authenticator on a server.
The following setups are for scenarios such that ssh into the server with a password requires TOTP, and ssh with public-key auth will not. This is suitable for me as I always use public-key to access my server. However, occasionally I also want to access my NAS on someone else's machine with a password. With google authenticator, any attempt on logging in with a password will also prompt TOTP.
Edit /etc/ssh/sshd_config
Use your prefer editor to edit your /etc/ssh/sshd_config
file (require sudo)
$ sudo vim /etc/ssh/sshd_config
# the following is for ssh-ing with password
PasswordAuthentication yes
PermitEmptyPasswords no
# the following is needed for using challenge-response authentication
ChallengeResponseAuthentication yes
# the follow probably had already been set
UsePAM yes
# for good measure, never permits root login
PermitRootLogin no
Edit /etc/pam.d/sshd
$ sudo vim /etc/pam.d/sshd
...
auth requisite pam_syno_ipblocklist.so
+ auth required /var/packages/google-authenticator-libpam/target/lib/security/pam_google_authenticator.so nullok
auth [success=3 default=ignore] pam_unix.so
auth [success=2 default=ignore] pam_winbind.so use_first_pass
auth [success=1 default=ignore] pam_ldap.so
auth [default=die] pam_syno_log_fail.so [SSH]
auth [default=done] pam_syno_log_success.so [SSH] log=no
account [success=3 default=ignore] pam_unix.so
...
Generate config for Google authenticator
Use the packaged binary to generates the config for google_authenticator
$ sc-google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/soraxas@hostname%3Fsecret%XXXXXXXXXXXXXXXX
...
$ cat ~/.google_authenticator
XXXXXXXXXXXXXXXXXXX
" RATE_LIMIT X XX XXXXXXXXX XXXXXXXXX
" WINDOW_SIZE XX
" DISALLOW_REUSE XXXXXXX
" TOTP_AUTH
XXXXXXXX
XXXXXXXX
XXXXXXXX
XXXXXXXX
XXXXXXXX
Make sure that the file is less permissive than 600, e.g.
sudo chmod 600 ~/.google_authenticator
Note: on some NAS it might already contains their own version of google-authenticator
at system path, which is likely how Synology implements their own customised version of their 2FA solution. However, it was found to generates invalid base64 encoded secrets (which is not usable on common 2FA android app). See #4852 for details. Therefore, the version that this package provides is symlinked as sc-google-authenticator
instead to avoid name conflict.
Result
The result is any ssh to the server without public key auth will require you to also provide a verification code from your app
$ ssh synology
(foo@synology) Verification code:
(foo@synology) Password:
foo@synology ~ $