One Time Password - CentOS 6.4 + SSH Howto - Part 1
This first release of the tutorial simply gathers the various steps and commands used to setup One Time Password Authentication on CentOS 6.4 host and configuring SSH to use it. When I get more time, I may rewrite in as a more complete tutorial article.
The solution is based on:
Step one: make sure your host clock is synchronized
Step two: install required build tools
Google Authenticator will display a QR-code on your terminal if libqrencode can be found when you’ll compile the source code. I quickly tried to compile it on my lab machine but did not succeed. I decided to focus on this tutorial and will come back later to this problem. If want to try to compile it by yourself, the source can be found on GitHub
For now, the package available at RPMforge will do the trick!
Step three: get and build the PAM OTP module source code (Google Authenticator)
If you enabled SElinux on your host, you might want to change the location of the file containing the secret and others tunables in two C source files. The reason for this is that with SElinux activated, the PAM module will not be able to access the file containing the secret and thus, won"t let you in… One way to fix it is to relocate the file in the $HOME/.ssh/ directory and associate the file with the SSH SElinux security context.
Start with the file google-authenticator.c and search for the SECRET macro definition. In the version used at time of writing it can be found at line 38 and looks like this.
and change it to
The other file is pam_google_authenticator.c and the SECRET macro definition is at line 58 (again at time of writing…) and looks like this.
Again, change it to the following.
The next steps are described in Part 2
blog comments powered by Disqus