google-authenticator-libpam | Example PAM module demonstrating two-factor authentication | Authentication library
kandi X-RAY | google-authenticator-libpam Summary
kandi X-RAY | google-authenticator-libpam Summary
Example PAM module demonstrating two-factor authentication for logging into servers via SSH, OpenVPN, etc…. This project is not about logging in to Google, Facebook, or other TOTP/HOTP second factor systems, even if they recommend using the Google Authenticator apps.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of google-authenticator-libpam
google-authenticator-libpam Key Features
google-authenticator-libpam Examples and Code Snippets
Community Discussions
Trending Discussions on google-authenticator-libpam
QUESTION
I am a newbie to FreeRadius, so my knowledge is not in-depth. I am trying to configure a central radius to handle any network based systems (switches, routers, firewalls, & VPN) to authenticate end-users when they are trying to SSH and/or VPN into the system. All of my equipment supports radius.
Environment:
- OS = CentOS 7
- FreeRadius = 3.0.13
- google-authenticator-libpam = 1.09
- I did not post my config files as they are exactly covered by the reference link. I will post them in a follow-up post for ease of reading
Reference: I followed this page to get the majority of the system operational (SSLVPN Two - Factor Authentication with Google Authenticator
What is working:
- Using radtest, I can authenticate with an AD based user with their AD password+OTP
- Was able to get a network switch authenticate and access-accept reply message to include custom VSA for user group (used unlang within the post-auth area based only on the user-name). Not ideal but just for testing the concept.
Next Steps (the question): I want to be able to ultimately decide if the end-user is granted access to VPN or switch via AD security groups. So from my understanding, I could perform this within the auth module or the post-auth. I believe the correct place would be in the post-auth possible using unlang (but correct me if this is not the general area to do this). I don't know how/where I need to perform the LDAP lookup to get the user-name AD security group info. In theory, once I have the user's name & group info, these can be used in multiple filters to declare if they get access to a group of systems. Thanks
...ANSWER
Answered 2020-Jul-09 at 01:17So I figured out how to accomplish what I was trying to do.
Configure /etc/raddb/clients.conf
Add the option under each client of virtual_server = custom_vs01
Duplicate (copy do not rename) /etc/raddb/sites-available/default to /etc/raddb/sites-available/custom_vs01
Edit custom_vs01. Change the server block to match the file. orig: server default { new: server custom_vs01 {
Change the port for the AUTH and ACCT to an actual port (E.g. 511812 & 511813)
In the post-auth section; add unlang to look for LDAP group So basically if the authenticated user is not part of either of the AD groups, then we update the control and reject them from access
QUESTION
I installed google two factor authentication on my linux server.
(thanks to: https://github.com/google/google-authenticator-libpam)
When I try to access root account via ssh, authenticator works fine.
ANSWER
Answered 2019-Jul-12 at 10:25This is the default way this works. Since you are using the google-authenticator-libpam module you are only adding two factor authentication to the actual external interface login via the addition of auth required pam_google_authenticator.so to the sshd config file.
The proper security implementation (or at least one of the proper ways) is to not allow external login for the root user, going one step further and locking down ssh to only allow login from users who have two factor authentication enabled is even better.
To do that you would add the following in your sshd config :
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install google-authenticator-libpam
For highest security, make sure that both password and OTP are being requested even if password and/or OTP are incorrect. This means that at least the first of pam_unix.so (or whatever other module is used to verify passwords) and pam_google_authenticator.so should be set as required, not requisite. It probably can't hurt to have both be required, but it could depend on the rest of your PAM config. If you use HOTP (counter based as opposed to time based) then add the option no_increment_hotp to make sure the counter isn't incremented for failed attempts.
Run the google-authenticator binary to create a new secret key in your home directory. These settings will be stored in ~/.google_authenticator. If your system supports the "libqrencode" library, you will be shown a QRCode that you can scan using the Android "Google Authenticator" application. If your system does not have this library, you can either follow the URL that google-authenticator outputs, or you have to manually enter the alphanumeric secret key into the Android "Google Authenticator" application. In either case, after you have added the key, click-and-hold until the context menu shows. Then check that the key's verification value matches (this feature might not be available in all builds of the Android application). Each time you log into your system, you will now be prompted for your TOTP code (time based one-time-password) or HOTP (counter-based), depending on options given to google-authenticator, after having entered your normal user id and your normal UNIX account password.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
