CentOS 6.6 Minimal & Google Authenticator

---

Updated article as of October 2017 and using the open source FreeIPA the upstream project for Red Hat Identity Manager (IdM) instead of Microsoft Active Directory can be at the URL below.

https://rharmonson.github.io/2factorcos7.html

---

Google Authenticator provides a reasonably effective and free multi-factor solution. The purpose of this document is to provide brief and concise installation instructions for Google Authenticator, user setup, and a demonstration using PAM and SSHD to test functionality.

Prerequisites

1. Access to the Internet
2. Complete installation and update of CentOS 6.6 Minimal using the guide found here: https://github.com/rharmonson/richtech/wiki/CentOS-6.5-Minimal-x86_64-Base-Installation-Guide
3. The guide above provides instructions for configuring the EPEL repository, however, if you skipped it, use this guide here: https://github.com/rharmonson/richtech/wiki/EPEL-Repository-on-CentOS-6.5

Installation

Fortunately, the EPEL repository has a "google-authenticator" package

# yum install google-authenticator

Results

================================================================================
 Package               Arch    Version                              Repository
                                                                           Size
================================================================================
Installing:
 google-authenticator  x86_64  0-0.3.20110830.hgd525a9bab875.el6    epel   26 k

Transaction Summary
================================================================================
Install       1 Package(s)

Total download size: 26 k
Installed size: 51 k
Is this ok [y/N]:

User Setup

Select a user account to setup and use su to impersonate to configure.

1. # su richard
2. $ google-authenticator

Results,

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/2FACTOR\richardd%3Fsecret%3D56PQ52O2V22YEPL2
Your new secret key is: 56PQ52O2V22YEPL1
Your verification code is 016538
Your emergency scratch codes are:
  73450538
  55189466
  31032722
  53503218
  43775365

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Note that I responded with "y" for all queries. Review each item, research, and select the response best for your implementation.

PAM & SSHD

To demonstrate that Google Authenticator is functioning as expected, I will use PAM and SSHD.

PAM

Update "sshd" pam file and add "auth required pam_google_authenticator.so"

# vi /etc/pam.d/sshd

Results using # cat /etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_sepermit.so
auth       required     pam_google_authenticator.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    sufficient      pam_lsass.so

SSHD

Update "sshd_config" and "ChallengeResponseAuthentication yes"

# vi /etc/ssh/sshd_config

Results using # cat /etc/ssh/sshd_config

...

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes

...

Restart SSHD

# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

Login Process using Google Authenticator and SSH

Using another Linux host or PuTTY, connect using SSH

1. Enter user credentials; richard
2. Enter the first eight-digit passcode; 73450538
3. Enter the user account's password

Results

login as: richard
Using keyboard-interactive authentication.
Verification code:
Using keyboard-interactive authentication.
Password:
-sh-4.1$

Done!